Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
Applies the patch from the bug. The change to CMakeLists.txt is
not applicable as Android does not use that to build expat. It
is not needed as it only applies to building for Windows.
Fix cast from pointer to integer of different size
Test: make
Bug: 29149404
Change-Id: I83644220db8652d7ba818d71bc4d6f86a37881f6
diff --git a/Modules/expat/xmlparse.c b/Modules/expat/xmlparse.c
index 4128387..3f0939e 100644
--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -2,6 +2,20 @@
See the file COPYING for copying permission.
*/
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h> /* memset(), memcpy() */
+#include <assert.h>
+#include <limits.h> /* UINT_MAX */
+
+#ifdef COMPILED_FROM_DSP
+#define getpid GetCurrentProcessId
+#else
+#include <sys/time.h> /* gettimeofday() */
+#include <sys/types.h> /* getpid() */
+#include <unistd.h> /* getpid() */
+#endif
+
#define XML_BUILDING_EXPAT 1
#ifdef COMPILED_FROM_DSP
@@ -16,12 +30,6 @@
#include <expat_config.h>
#endif /* ndef COMPILED_FROM_DSP */
-#include <stddef.h>
-#include <string.h> /* memset(), memcpy() */
-#include <assert.h>
-#include <limits.h> /* UINT_MAX */
-#include <time.h> /* time() */
-
#include "ascii.h"
#include "expat.h"
@@ -432,7 +440,7 @@
getElementType(XML_Parser parser, const ENCODING *enc,
const char *ptr, const char *end);
-static unsigned long generate_hash_secret_salt(void);
+static unsigned long generate_hash_secret_salt(XML_Parser parser);
static XML_Bool startParsing(XML_Parser parser);
static XML_Parser
@@ -691,11 +699,38 @@
};
static unsigned long
-generate_hash_secret_salt(void)
+gather_time_entropy(void)
{
- unsigned int seed = time(NULL) % UINT_MAX;
- srand(seed);
- return rand();
+#ifdef COMPILED_FROM_DSP
+ FILETIME ft;
+ GetSystemTimeAsFileTime(&ft); /* never fails */
+ return ft.dwHighDateTime ^ ft.dwLowDateTime;
+#else
+ struct timeval tv;
+ int gettimeofday_res;
+
+ gettimeofday_res = gettimeofday(&tv, NULL);
+ assert (gettimeofday_res == 0);
+
+ /* Microseconds time is <20 bits entropy */
+ return tv.tv_usec;
+#endif
+}
+
+static unsigned long
+generate_hash_secret_salt(XML_Parser parser)
+{
+ /* Process ID is 0 bits entropy if attacker has local access
+ * XML_Parser address is few bits of entropy if attacker has local access */
+ const unsigned long entropy =
+ gather_time_entropy() ^ getpid() ^ (uintptr_t)parser;
+
+ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
+ if (sizeof(unsigned long) == 4) {
+ return entropy * 2147483647;
+ } else {
+ return entropy * 2305843009213693951;
+ }
}
static XML_Bool /* only valid for root parser */
@@ -703,7 +738,7 @@
{
/* hash functions must be initialized before setContext() is called */
if (hash_secret_salt == 0)
- hash_secret_salt = generate_hash_secret_salt();
+ hash_secret_salt = generate_hash_secret_salt(parser);
if (ns) {
/* implicit context only set for root parser, since child
parsers (i.e. external entity parsers) will inherit it