summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duffin <paulduffin@google.com>2016-06-07 15:53:38 +0100
committerPaul Duffin <paulduffin@google.com>2016-06-07 15:53:38 +0100
commit3c2f09e63ae65adffdfe07164f872e454e338789 (patch)
tree76f6a3af9e81edb73cb5fdcd26f7f2ae3b42c99f
parent4bf8f12b1d505770ce1fd3b5aa33bd7abe46ee74 (diff)
downloadexpat-3c2f09e63ae65adffdfe07164f872e454e338789.tar.gz
Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
Applies the patch from the bug. The change to CMakeLists.txt is not applicable as Android does not use that to build expat. It is not needed as it only applies to building for Windows. Bug: 29149404 Change-Id: I557d2d5e5f338cd141db7f09fb2648f1be4cc8bc
-rw-r--r--lib/xmlparse.c48
1 files changed, 41 insertions, 7 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 18bfb7e8..e12853c6 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -6,7 +6,14 @@
#include <string.h> /* memset(), memcpy() */
#include <assert.h>
#include <limits.h> /* UINT_MAX */
-#include <time.h> /* time() */
+
+#ifdef COMPILED_FROM_DSP
+#define getpid GetCurrentProcessId
+#else
+#include <sys/time.h> /* gettimeofday() */
+#include <sys/types.h> /* getpid() */
+#include <unistd.h> /* getpid() */
+#endif
#define XML_BUILDING_EXPAT 1
@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
getElementType(XML_Parser parser, const ENCODING *enc,
const char *ptr, const char *end);
-static unsigned long generate_hash_secret_salt(void);
+static unsigned long generate_hash_secret_salt(XML_Parser parser);
static XML_Bool startParsing(XML_Parser parser);
static XML_Parser
@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = {
};
static unsigned long
-generate_hash_secret_salt(void)
+gather_time_entropy(void)
{
- unsigned int seed = time(NULL) % UINT_MAX;
- srand(seed);
- return rand();
+#ifdef COMPILED_FROM_DSP
+ FILETIME ft;
+ GetSystemTimeAsFileTime(&ft); /* never fails */
+ return ft.dwHighDateTime ^ ft.dwLowDateTime;
+#else
+ struct timeval tv;
+ int gettimeofday_res;
+
+ gettimeofday_res = gettimeofday(&tv, NULL);
+ assert (gettimeofday_res == 0);
+
+ /* Microseconds time is <20 bits entropy */
+ return tv.tv_usec;
+#endif
+}
+
+static unsigned long
+generate_hash_secret_salt(XML_Parser parser)
+{
+ /* Process ID is 0 bits entropy if attacker has local access
+ * XML_Parser address is few bits of entropy if attacker has local access */
+ const unsigned long entropy =
+ gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
+
+ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
+ if (sizeof(unsigned long) == 4) {
+ return entropy * 2147483647;
+ } else {
+ return entropy * 2305843009213693951;
+ }
}
static XML_Bool /* only valid for root parser */
@@ -703,7 +737,7 @@ startParsing(XML_Parser parser)
{
/* hash functions must be initialized before setContext() is called */
if (hash_secret_salt == 0)
- hash_secret_salt = generate_hash_secret_salt();
+ hash_secret_salt = generate_hash_secret_salt(parser);
if (ns) {
/* implicit context only set for root parser, since child
parsers (i.e. external entity parsers) will inherit it