Revert "Security Vulnerability - CVE-2012-6702 and CVE-2016-5300"
This reverts commit caf0317e4cd0cd19a1bed5e2c68ca2bc86b0f7ba.
Reason for revert:
Revert this patch for now so that we can let AOSP merge-CL (go/oag/756770) flow down. The upstream Python probably fixed this issue.
Test: m -j
Bug: b/29149404
Change-Id: Ic84d041956ea244041182a9113deaf54edee6b0b
diff --git a/Modules/expat/xmlparse.c b/Modules/expat/xmlparse.c
index 3f0939e..4128387 100644
--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -2,20 +2,6 @@
See the file COPYING for copying permission.
*/
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h> /* memset(), memcpy() */
-#include <assert.h>
-#include <limits.h> /* UINT_MAX */
-
-#ifdef COMPILED_FROM_DSP
-#define getpid GetCurrentProcessId
-#else
-#include <sys/time.h> /* gettimeofday() */
-#include <sys/types.h> /* getpid() */
-#include <unistd.h> /* getpid() */
-#endif
-
#define XML_BUILDING_EXPAT 1
#ifdef COMPILED_FROM_DSP
@@ -30,6 +16,12 @@
#include <expat_config.h>
#endif /* ndef COMPILED_FROM_DSP */
+#include <stddef.h>
+#include <string.h> /* memset(), memcpy() */
+#include <assert.h>
+#include <limits.h> /* UINT_MAX */
+#include <time.h> /* time() */
+
#include "ascii.h"
#include "expat.h"
@@ -440,7 +432,7 @@
getElementType(XML_Parser parser, const ENCODING *enc,
const char *ptr, const char *end);
-static unsigned long generate_hash_secret_salt(XML_Parser parser);
+static unsigned long generate_hash_secret_salt(void);
static XML_Bool startParsing(XML_Parser parser);
static XML_Parser
@@ -699,38 +691,11 @@
};
static unsigned long
-gather_time_entropy(void)
+generate_hash_secret_salt(void)
{
-#ifdef COMPILED_FROM_DSP
- FILETIME ft;
- GetSystemTimeAsFileTime(&ft); /* never fails */
- return ft.dwHighDateTime ^ ft.dwLowDateTime;
-#else
- struct timeval tv;
- int gettimeofday_res;
-
- gettimeofday_res = gettimeofday(&tv, NULL);
- assert (gettimeofday_res == 0);
-
- /* Microseconds time is <20 bits entropy */
- return tv.tv_usec;
-#endif
-}
-
-static unsigned long
-generate_hash_secret_salt(XML_Parser parser)
-{
- /* Process ID is 0 bits entropy if attacker has local access
- * XML_Parser address is few bits of entropy if attacker has local access */
- const unsigned long entropy =
- gather_time_entropy() ^ getpid() ^ (uintptr_t)parser;
-
- /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
- if (sizeof(unsigned long) == 4) {
- return entropy * 2147483647;
- } else {
- return entropy * 2305843009213693951;
- }
+ unsigned int seed = time(NULL) % UINT_MAX;
+ srand(seed);
+ return rand();
}
static XML_Bool /* only valid for root parser */
@@ -738,7 +703,7 @@
{
/* hash functions must be initialized before setContext() is called */
if (hash_secret_salt == 0)
- hash_secret_salt = generate_hash_secret_salt(parser);
+ hash_secret_salt = generate_hash_secret_salt();
if (ns) {
/* implicit context only set for root parser, since child
parsers (i.e. external entity parsers) will inherit it