Attachment #177035 for bug #214546

View | Details | Raw Unified | Return to bug 214546
Collapse All | Expand All





PORTNAME=	libwww
PORTVERSION=	5.4.0
PORTREVISION=	6
CATEGORIES=	www devel
MASTER_SITES=	http://www.w3.org/Library/Distribution/
DISTNAME=	w3c-${PORTNAME}-${PORTVERSION}

MAINTAINER=	marius@nuenneri.ch
COMMENT=	W3C Reference Library

LICENSE=	W3C
LICENSE_NAME=	W3C IPR SOFTWARE NOTICE
LICENSE_FILE=	${WRKSRC}/LICENSE.html
LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept

GNU_CONFIGURE=	yes
CONFIGURE_ARGS=	--with-zlib --with-ssl=${OPENSSLBASE}
USES=		gmake libtool perl5 ssl tar:tgz
USE_PERL5=	build
USE_LDCONFIG=	yes
USE_OPENSSL=	yes

post-install:
	${INSTALL_DATA} ${WRKSRC}/modules/expat/xmlparse/xmlparse.h \
		${STAGEDIR}${PREFIX}/include/w3c-libwww/
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/*.so

.include <bsd.port.mk>

Lines 1-6 Link Here

(-)files/patch-Library__src__HTMIMImp.c (-3 / +3 lines)
1	--- Library/src/HTMIMImp.c.orig Sun Jun 30 22:51:48 2002	1	--- Library/src/HTMIMImp.c.orig 1999-02-22 22:10:11 UTC
2	+++ Library/src/HTMIMImp.c Sun Jun 30 22:52:01 2002	2	+++ Library/src/HTMIMImp.c
3	@@ -226,7 +226,7 @@	3	@@ -226,7 +226,7 @@ PRIVATE int HTFindInt(char * haystack, c
4	int value = deflt;	4	int value = deflt;
5	if (start != NULL) {	5	if (start != NULL) {
6	start += strlen(needle);	6	start += strlen(needle);




# $FreeBSD$

# CVE-2005-3183

--- Library/src/HTBound.c.orig	1999-02-22 22:10:10 UTC
+++ Library/src/HTBound.c
@@ -11,9 +11,12 @@
 **
 ** Authors
 **	HF	Henrik Frystyk <frystyk@w3.org>
+**      SV      Sam Varshavchik <mrsam@courier-mta.com>
 **
 ** History:
 **	Nov 95	Written from scratch
+**   SV Jun 05  Rewrote HTBoundary_put_block.  Fixed many bugs+segfaults.
+**   SV Jul 05  Fix double-counting of processed bytes.
 **
 */
 
@@ -23,104 +26,395 @@
 #include "WWWCore.h"
 #include "HTMerge.h"
 #include "HTReqMan.h"
+#include "HTNetMan.h"
+#include "HTChannl.h"
 #include "HTBound.h"					 /* Implemented here */
 
-#define PUTBLOCK(b, l)	(*me->target->isa->put_block)(me->target, b, l)
+#define PUTBLOCK(b, l)	(me->target ? (*me->target->isa->put_block)(me->target, b, l):HT_OK)
+
 #define PUTDEBUG(b, l)	(*me->debug->isa->put_block)(me->debug, b, l)
 #define FREE_TARGET	(*me->target->isa->_free)(me->target)
 
 struct _HTStream {
     const HTStreamClass *	isa;
+    HTNet *                      net;
     HTStream *			target;
     HTStream *			orig_target;
     HTFormat			format;
     HTStream *			debug;		  /* For preamble and epilog */
     HTRequest *			request;
-    BOOL			body;		  /* Body or preamble|epilog */
-    HTEOLState			state;
-    int				dash;			 /* Number of dashes */
     char *			boundary;
-    char *			bpos;
+
+    BOOL                        keptcrlf;
+    int                         (*state)(HTStream *, const char *, int);
+
+    char                        *boundary_ptr;
+
 };
 
+PRIVATE int HTBoundary_flush (HTStream * me);
+
 /* ------------------------------------------------------------------------- */
 
+PRIVATE int start_of_line (HTStream * me, const char * b, int l);
+PRIVATE int seen_dash (HTStream * me, const char * b, int l);
+PRIVATE int seen_doubledash (HTStream * me, const char * b, int l);
+PRIVATE int seen_delimiter_nonterminal(HTStream * me, const char * b, int l);
+PRIVATE int seen_delimiter_nonterminal_CR(HTStream * me, const char * b, int l);
+PRIVATE int seen_delimiter_dash(HTStream * me, const char * b, int l);
+PRIVATE int seen_delimiter_terminal(HTStream * me, const char * b, int l);
+PRIVATE int seen_delimiter_terminal_CR(HTStream * me, const char * b, int l);
+PRIVATE int not_delimiter(HTStream * me, const char * b, int l, int extra);
+PRIVATE int seen_nothing(HTStream * me, const char * b, int l);
+PRIVATE int seen_cr(HTStream * me, const char * b, int l);
+PRIVATE void process_boundary(HTStream *me, int isterminal);
+
+#define UNUSED(l) (l=l)    /* Shut up about unused variables */
+
 PRIVATE int HTBoundary_put_block (HTStream * me, const char * b, int l)
 {
-    const char *start = b;
-    const char *end = b;
-    while (l-- > 0) {
-	if (me->state == EOL_FCR) {
-	    me->state = (*b == LF) ? EOL_FLF : EOL_BEGIN;
-	} else if (me->state == EOL_FLF) {
-	    if (me->dash == 2) {
-		while (l>0 && *me->bpos && *me->bpos==*b) l--, me->bpos++, b++;
-		if (!*me->bpos) {
-		    HTTRACE(STREAM_TRACE, "Boundary.... `%s\' found\n" _ me->boundary);
-		    me->bpos = me->boundary;
-		    me->body = YES;
-		    me->state = EOL_DOT;
-		} else if (l>0) {
-		    me->dash = 0;
-		    me->bpos = me->boundary;
-		    me->state = EOL_BEGIN;
-		}
-	    }
-	    if (*b == '-') {
-		me->dash++;
-	    } else if (*b != CR && *b != LF) {
-		me->dash = 0;
-		me->state = EOL_BEGIN;
-	    }
-	} else if (me->state == EOL_SLF) {	    /* Look for closing '--' */
-	    if (me->dash == 4) {
-		if (end > start) {
-		    int status = PUTBLOCK(start, end-start);
-		    if (status != HT_OK) return status;
+	/*
+	** The HTBoundary object gets attached downstream of HTMime.
+	** The HTBoundary object creates another HTMime object downstream of
+	** the HTBoundary object.
+	**
+	** When we push data downstream to the second HTBoundary object, it
+	** updates the bytes read count in the HTNet object.
+	**
+	** When we return to the parent HTMime object, itupdates the
+	** bytes read count in the HTNet object again.  Oops.
+	**
+	** Same thing happens with the consumed byte count.  We can prevent
+	** the consumed byte counts from being updated by temporary setting
+	** the input channel stream pointer to NULL, but for the byte counts
+	** we have to save them and restore them before existing.
+	**
+	** This bug was discovered by chance when a multipart/partial response
+	** was partially received, and as a result of double-counting the
+	** real response got cut off (because HTMime thought that more bytes
+	** were processed than actually were, thus it processed only the
+	** partial count of the remaining bytes in the response).  When the
+	** multipart/partial response was received all at once this bug did
+	** not get triggered.
+	*/
+
+	HTHost *host=HTNet_host(me->net);
+	HTChannel *c=HTHost_channel(host);
+	HTInputStream *i=HTChannel_input(c);
+
+	long saveBytesRead=HTNet_bytesRead(me->net);
+	long saveHeaderBytesRead=HTNet_headerBytesRead(me->net);
+
+	if (i)
+		HTChannel_setInput(c, NULL);
+
+	HTTRACE(STREAM_TRACE, "Boundary: processing %d bytes\n" _ l);
+	/* Main loop consumes all input */
+
+	while (l)
+	{
+		int n= (*me->state)(me, b, l);
+
+		if (n == 0)
+			return HT_ERROR;
+		b += n;
+		l -= n;
+	}
+
+	if (i)
+		HTChannel_setInput(c, i);
+	HTNet_setBytesRead(me->net, saveBytesRead);
+	HTNet_setHeaderBytesRead(me->net, saveHeaderBytesRead);
+
+	return HT_OK;
+}
+
+/*
+** Start of line, keptcrlf=YES if we've kept the preceding CRLF from downstream
+** and we'll pass it along if we decide that this is not a boundary delimiter.
+*/
+
+PRIVATE int start_of_line (HTStream * me, const char * b, int l)
+{
+	if (*b != '-')
+		return not_delimiter(me, b, l, 0);
+
+	HTTRACE(STREAM_TRACE, "Boundary: start of line: input '-'\n");
+
+	me->state= seen_dash;
+
+	return 1;
+}
+
+/*
+** Line: -
+*/
+
+PRIVATE int seen_dash (HTStream * me, const char * b, int l)
+{
+	if (*b != '-')
+		return not_delimiter(me, b, l, 1);
+
+	HTTRACE(STREAM_TRACE, "Boundary: start of line: input '--'\n");
+
+	me->state= seen_doubledash;
+	me->boundary_ptr=me->boundary;
+	return 1;
+}
+
+/*
+** Line: --
+*/
+
+PRIVATE int seen_doubledash (HTStream * me, const char * b, int l)
+{
+	me->state=seen_doubledash;
+
+	if (*me->boundary_ptr)
+	{
+		if (*b != *me->boundary_ptr)
+		{
+			return not_delimiter(me, b, l,
+					     me->boundary_ptr - me->boundary
+					     + 2);
 		}
-		HTTRACE(STREAM_TRACE, "Boundary.... Ending\n");
-		start = b;
-		me->dash = 0;
-		me->state = EOL_BEGIN;
-	    }
-	    if (*b == '-') {
-		me->dash++;
-	    } else if (*b != CR && *b != LF) {
-		me->dash = 0;
-		me->state = EOL_BEGIN;
+		++me->boundary_ptr;
+		return 1;
 	    }
-	    me->body = NO;
-	} else if (me->state == EOL_DOT) {
-	    int status;
-	    if (me->body) {
-		if (me->target) FREE_TARGET;
+
+	/*
+	** Line: --delimiter
+	*/
+
+	if (*b == '-')
+	{
+		HTTRACE(STREAM_TRACE,
+			"Boundary: start of line: input '--%s-'\n"
+			_ me->boundary);
+
+		me->state=seen_delimiter_dash;
+		return 1;
+	}
+
+	HTTRACE(STREAM_TRACE,
+		"Boundary: Found: '--%s'\n" _ me->boundary);
+	
+	return seen_delimiter_nonterminal(me, b, l);
+}
+
+/*
+** Line: --delimiter
+**
+** Waiting for CRLF.
+*/
+
+
+PRIVATE int seen_delimiter_nonterminal(HTStream * me, const char * b, int l)
+{
+	UNUSED(l);
+
+	me->state=seen_delimiter_nonterminal;
+	if (*b == CR)
+		me->state=seen_delimiter_nonterminal_CR;
+
+	return 1;
+}
+
+/*
+** Line: --delimiter<CR>
+*/
+
+PRIVATE int seen_delimiter_nonterminal_CR(HTStream * me, const char * b, int l)
+{
+	HTTRACE(STREAM_TRACE,
+		"Boundary: Found: '--%s<CR>'\n" _ me->boundary);
+	
+	if (*b != LF)
+		return seen_delimiter_nonterminal(me, b, l);
+
+	HTTRACE(STREAM_TRACE,
+		"Boundary: Found: '--%s<CR><LF>'\n" _ me->boundary);
+	
+	process_boundary(me, NO);
+	return 1;
+}
+
+/*
+** Line: --delimiter-
+*/
+
+PRIVATE int seen_delimiter_dash(HTStream * me, const char * b, int l)
+{
+	if (*b != '-')
+		return seen_delimiter_nonterminal(me, b, l);
+
+	HTTRACE(STREAM_TRACE,
+		"Boundary: start of line: input '--%s--'\n"
+		_ me->boundary);
+	
+	me->state=seen_delimiter_terminal;
+	return 1;
+}
+
+/*
+** Line: --delimiter--
+*/
+
+PRIVATE int seen_delimiter_terminal(HTStream * me, const char * b, int l)
+{
+	UNUSED(l);
+
+	me->state=seen_delimiter_terminal;
+
+	if (*b == CR)
+		me->state=seen_delimiter_terminal_CR;
+	return 1;
+}
+/*
+** Line: --delimiter--<CR>
+*/
+
+PRIVATE int seen_delimiter_terminal_CR(HTStream * me, const char * b, int l)
+{
+	HTTRACE(STREAM_TRACE,
+		"Boundary: Found '--%s--<CR>'\n"
+		_ me->boundary);
+	
+	if (*b != LF)
+		return seen_delimiter_terminal(me, b, l);
+	HTTRACE(STREAM_TRACE,
+		"Boundary: Found '--%s--<CR><LF>'\n"
+		_ me->boundary);
+	
+	process_boundary(me, YES);
+	return 1;
+}
+
+/*
+** Beginning of the line does not contain a delimiter.
+**
+**
+** extra: Count of characters in a partially matched delimiter.  Since it's
+** not a delimiter this is content that needs to go downstream.
+*/
+
+PRIVATE int not_delimiter(HTStream * me, const char * b, int l, int extra)
+{
+	HTTRACE(STREAM_TRACE, "Boundary: not a delimiter line\n");
+	
+	if (me->keptcrlf)
+	{
+		HTTRACE(STREAM_TRACE, "Boundary: Sending previous line's <CR><LF>\n");
+		/*
+		** Did not process CRLF from previous line, because prev CRLF
+		** is considered a part of the delimiter.  See MIME RFC.
+		*/
+
+		me->keptcrlf=NO;
+		if (PUTBLOCK("\r\n", 2) != HT_OK)
+			return 0;
+	}
+
+	/*
+	** Potentially matched some of: --DELIMITER
+	*/
+
+	if (extra)
+	{
+		HTTRACE(STREAM_TRACE, "Boundary: Sending partially-matched %d characters\n" _ extra);
+
+		if (PUTBLOCK("--", extra > 2 ? 2:extra) != HT_OK)
+			return 0;
+
+		if (extra > 2)
+			if (PUTBLOCK(me->boundary, extra-2) != HT_OK)
+				return 0;
+	}
+	return seen_nothing(me, b, l);
+}
+
+/*
+** We're not looking for a delimiter.  Look for the next line of input
+** in the data that could potentially be a delimiter.
+*/
+
+PRIVATE int seen_nothing(HTStream * me, const char * b, int l)
+{
+	int i;
+
+	me->state=seen_nothing;
+
+	for (i=0; i<l; i++)
+	{
+		if (b[i] != CR)
+			continue;
+
+		/*
+		** If we have at least four more characters in unconsumed
+		** input, and they're not \r\n--, we can safely skip over
+		** them.
+		*/
+
+		if (l-i > 4 &&
+		    strncmp(b+i, "\r\n--", 4))
+			continue;
+		break;
+	}
+
+	if (i == 0)
+	{
+		/* Could only be a CR here. */
+
+		me->state=seen_cr;
+		return 1;
+	}
+
+	HTTRACE(STREAM_TRACE, "Boundary: Processed %d (out of %d) bytes\n"
+		_ i _ l);
+
+	if (PUTBLOCK(b, i) != HT_OK)
+		return 0;
+
+	return i;
+}
+
+/*
+** State: seen a CR
+*/
+
+PRIVATE int seen_cr(HTStream * me, const char * b, int l)
+{
+	HTTRACE(STREAM_TRACE, "Boundary: Processed <CR>\n");
+
+	if (*b != LF)
+	{
+		HTTRACE(STREAM_TRACE, "Boundary: ... <LF> didn't follow\n");
+		if (PUTBLOCK("\r", 1) != HT_OK)
+			return 0;
+		return seen_nothing(me, b, l);
+    }
+
+	HTTRACE(STREAM_TRACE, "Boundary: Processed <CR><LF>\n");
+	me->state=start_of_line;
+	me->keptcrlf=YES;
+	return 1;
+}
+
+PRIVATE void process_boundary(HTStream *me, int isterminal)
+{
+	HTBoundary_flush(me);
+	if (me->target) FREE_TARGET;
+	me->target=NULL;
+	me->state=start_of_line;
+	me->keptcrlf=NO;
+
+	if (!isterminal)
 		me->target = HTStreamStack(WWW_MIME,me->format,
 					   HTMerge(me->orig_target, 2),
 					   me->request, YES);
-		if (end > start) {
-		    if ((status = PUTBLOCK(start, end-start)) != HT_OK)
-			return status;
-		}
-	    } else {
-		if (me->debug)
-		    if ((status = PUTDEBUG(start, end-start)) != HT_OK)
-			return status;
-	    }
-	    start = b;
-	    if (*b == '-') me->dash++;
-	    me->state = EOL_SLF;
-	} else if (*b == CR) {
-	    me->state = EOL_FCR;
-	    end = b;
-	} else if (*b == LF) {
-	    if (me->state != EOL_FCR) end = b;
-	    me->state = EOL_FLF;
-	}
-	b++;
-    }
-    return (start<b && me->body) ? PUTBLOCK(start, b-start) : HT_OK;
 }
 
+
 PRIVATE int HTBoundary_put_string (HTStream * me, const char * s)
 {
     return HTBoundary_put_block(me, s, (int) strlen(s));
@@ -133,6 +427,8 @@ PRIVATE int HTBoundary_put_character (HT
 
 PRIVATE int HTBoundary_flush (HTStream * me)
 {
+	if (me->target == NULL)
+		return HT_OK;
     return (*me->target->isa->flush)(me->target);
 }
 
@@ -182,18 +478,26 @@ PUBLIC HTStream * HTBoundary   (HTReques
 	HTResponse_formatParam(response) :
 	HTAnchor_formatParam(anchor);
     char * boundary = HTAssocList_findObject(type_param, "boundary");
+
+    UNUSED(param);
+    UNUSED(input_format);
+
     if (boundary) {
 	HTStream * me;
 	if ((me = (HTStream  *) HT_CALLOC(1, sizeof(HTStream))) == NULL)
 	    HT_OUTOFMEM("HTBoundary");
 	me->isa = &HTBoundaryClass;
+	me->net = HTRequest_net(request);
 	me->request = request;
 	me->format = output_format;
 	me->orig_target = output_stream;
 	me->debug = HTRequest_debugStream(request);
-	me->state = EOL_FLF;
+
+	me->state = start_of_line;
+	me->keptcrlf=NO;
+
 	StrAllocCopy(me->boundary, boundary);		       /* Local copy */
-	me->bpos = me->boundary;
+
 	HTTRACE(STREAM_TRACE, "Boundary.... Stream created with boundary '%s\'\n" _ me->boundary);
 	return me;
     } else {

Lines 1-6 Link Here

(-)files/patch-configure (-3 / +3 lines)
1	--- configure.orig Wed Jun 12 11:31:31 2002	1	--- configure.orig 2002-06-12 09:31:31 UTC
2	+++ configure Sat Mar 10 21:51:00 2007	2	+++ configure
3	@@ -7612,8 +7612,11 @@	3	@@ -7612,8 +7612,11 @@ if test "${with_ssl+set}" = set; then
4	if test "x$withval" = "xyes"; then	4	if test "x$withval" = "xyes"; then
5	withval=$ssllib	5	withval=$ssllib
6	SSLINC=$sslinc	6	SSLINC=$sslinc

Lines 1-6 Link Here

(-)files/patch-libwww-config.in (-4 / +3 lines)
1	--- libwww-config.in.orig Thu Jul 6 18:48:21 2006	1	--- libwww-config.in.orig 1999-06-23 18:05:01 UTC
2	+++ libwww-config.in Thu Jul 6 18:49:01 2006	2	+++ libwww-config.in
3	@@ -48,7 +48,7 @@	3	@@ -48,7 +48,7 @@ while test $# -gt 0; do
4	echo -I@includedir@ -I@includedir@/@PACKAGE@ @DEFS@	4	echo -I@includedir@ -I@includedir@/@PACKAGE@ @DEFS@
5	;;	5	;;
6	--libs)	6	--libs)
Lines 9-12 Link Here
9	;;	9	;;
10	*)	10	*)
11	echo "${usage}" 1>&2	11	echo "${usage}" 1>&2
12




# $FreeBSD$

# CVE-2009-3560

--- modules/expat/xmlparse/xmlparse.c.orig	2000-08-28 08:52:01 UTC
+++ modules/expat/xmlparse/xmlparse.c
@@ -2199,6 +2199,9 @@ doProlog(XML_Parser parser,
 	return XML_ERROR_UNCLOSED_TOKEN;
       case XML_TOK_PARTIAL_CHAR:
 	return XML_ERROR_PARTIAL_CHAR;
+      case -XML_TOK_PROLOG_S:
+	tok = -tok;
+	break;
       case XML_TOK_NONE:
 #ifdef XML_DTD
 	if (enc != encoding)




# $FreeBSD$

# CVE-2009-3720

--- modules/expat/xmltok/xmltok_impl.c.orig	2000-08-28 08:52:01 UTC
+++ modules/expat/xmltok/xmltok_impl.c
@@ -1753,7 +1753,7 @@ void PREFIX(updatePosition)(const ENCODI
 			    const char *end,
 			    POSITION *pos)
 {
-  while (ptr != end) {
+  while (ptr < end) {
     switch (BYTE_TYPE(enc, ptr)) {
 #define LEAD_CASE(n) \
     case BT_LEAD ## n: \

Return to bug 214546

Lines 3-25 Link Here

(-)Makefile (-4 / +9 lines)
3		3
4	PORTNAME= libwww	4	PORTNAME= libwww
5	PORTVERSION= 5.4.0	5	PORTVERSION= 5.4.0
6	PORTREVISION= 5	6	PORTREVISION= 6
7	CATEGORIES= www devel	7	CATEGORIES= www devel
8	MASTER_SITES= http://www.w3.org/Library/Distribution/	8	MASTER_SITES= http://www.w3.org/Library/Distribution/
9	DISTNAME= w3c-${PORTNAME}-${PORTVERSION}	9	DISTNAME= w3c-${PORTNAME}-${PORTVERSION}
10		10
11	MAINTAINER= marius@nuenneri.ch	11	MAINTAINER= marius@nuenneri.ch
12	COMMENT= The W3C Reference Library	12	COMMENT= W3C Reference Library
		13
		14	LICENSE= W3C
		15	LICENSE_NAME= W3C IPR SOFTWARE NOTICE
		16	LICENSE_FILE= ${WRKSRC}/LICENSE.html
		17	LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
13		18
14	GNU_CONFIGURE= yes	19	GNU_CONFIGURE= yes
15	CONFIGURE_ARGS= --with-zlib --with-ssl=${OPENSSLBASE}	20	CONFIGURE_ARGS= --with-zlib --with-ssl=${OPENSSLBASE}
16	USES= perl5 gmake libtool tar:tgz	21	USES= gmake libtool perl5 ssl tar:tgz
17	USE_PERL5= build	22	USE_PERL5= build
18	USE_LDCONFIG= yes	23	USE_LDCONFIG= yes
19	USE_OPENSSL= yes
20		24
21	post-install:	25	post-install:
22	${INSTALL_DATA} ${WRKSRC}/modules/expat/xmlparse/xmlparse.h \	26	${INSTALL_DATA} ${WRKSRC}/modules/expat/xmlparse/xmlparse.h \
23	${STAGEDIR}${PREFIX}/include/w3c-libwww/	27	${STAGEDIR}${PREFIX}/include/w3c-libwww/
		28	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/*.so
24		29
25	.include <bsd.port.mk>	30	.include <bsd.port.mk>

Line 0 Link Here

(-)files/patch-Library_src_HTBound.c (+525 lines)
		1	# $FreeBSD$
		2
		3	# CVE-2005-3183
		4
		5	--- Library/src/HTBound.c.orig 1999-02-22 22:10:10 UTC
		6	+++ Library/src/HTBound.c
		7	@@ -11,9 +11,12 @@
		8	**
		9	** Authors
		10	** HF Henrik Frystyk <frystyk@w3.org>
		11	+** SV Sam Varshavchik <mrsam@courier-mta.com>
		12	**
		13	** History:
		14	** Nov 95 Written from scratch
		15	+** SV Jun 05 Rewrote HTBoundary_put_block. Fixed many bugs+segfaults.
		16	+** SV Jul 05 Fix double-counting of processed bytes.
		17	**
		18	*/
		19
		20	@@ -23,104 +26,395 @@
		21	#include "WWWCore.h"
		22	#include "HTMerge.h"
		23	#include "HTReqMan.h"
		24	+#include "HTNetMan.h"
		25	+#include "HTChannl.h"
		26	#include "HTBound.h" /* Implemented here */
		27
		28	-#define PUTBLOCK(b, l) (*me->target->isa->put_block)(me->target, b, l)
		29	+#define PUTBLOCK(b, l) (me->target ? (*me->target->isa->put_block)(me->target, b, l):HT_OK)
		30	+
		31	#define PUTDEBUG(b, l) (*me->debug->isa->put_block)(me->debug, b, l)
		32	#define FREE_TARGET (*me->target->isa->_free)(me->target)
		33
		34	struct _HTStream {
		35	const HTStreamClass * isa;
		36	+ HTNet * net;
		37	HTStream * target;
		38	HTStream * orig_target;
		39	HTFormat format;
		40	HTStream * debug; /* For preamble and epilog */
		41	HTRequest * request;
		42	- BOOL body; /* Body or preamble\|epilog */
		43	- HTEOLState state;
		44	- int dash; /* Number of dashes */
		45	char * boundary;
		46	- char * bpos;
		47	+
		48	+ BOOL keptcrlf;
		49	+ int (state)(HTStream , const char *, int);
		50	+
		51	+ char *boundary_ptr;
		52	+
		53	};
		54
		55	+PRIVATE int HTBoundary_flush (HTStream * me);
		56	+
		57	/* ------------------------------------------------------------------------- */
		58
		59	+PRIVATE int start_of_line (HTStream * me, const char * b, int l);
		60	+PRIVATE int seen_dash (HTStream * me, const char * b, int l);
		61	+PRIVATE int seen_doubledash (HTStream * me, const char * b, int l);
		62	+PRIVATE int seen_delimiter_nonterminal(HTStream * me, const char * b, int l);
		63	+PRIVATE int seen_delimiter_nonterminal_CR(HTStream * me, const char * b, int l);
		64	+PRIVATE int seen_delimiter_dash(HTStream * me, const char * b, int l);
65	+PRIVATE int seen_delimiter_terminal(HTStream * me, const char * b, int l);
66	+PRIVATE int seen_delimiter_terminal_CR(HTStream * me, const char * b, int l);
67	+PRIVATE int not_delimiter(HTStream * me, const char * b, int l, int extra);
68	+PRIVATE int seen_nothing(HTStream * me, const char * b, int l);
69	+PRIVATE int seen_cr(HTStream * me, const char * b, int l);
70	+PRIVATE void process_boundary(HTStream *me, int isterminal);
71	+
72	+#define UNUSED(l) (l=l) /* Shut up about unused variables */
73	+
74	PRIVATE int HTBoundary_put_block (HTStream * me, const char * b, int l)
75	{
76	- const char *start = b;
77	- const char *end = b;
78	- while (l-- > 0) {
79	- if (me->state == EOL_FCR) {
80	- me->state = (*b == LF) ? EOL_FLF : EOL_BEGIN;
81	- } else if (me->state == EOL_FLF) {
82	- if (me->dash == 2) {
83	- while (l>0 && me->bpos && me->bpos==*b) l--, me->bpos++, b++;
84	- if (!*me->bpos) {
85	- HTTRACE(STREAM_TRACE, "Boundary.... `%s\' found\n" _ me->boundary);
86	- me->bpos = me->boundary;
87	- me->body = YES;
88	- me->state = EOL_DOT;
89	- } else if (l>0) {
90	- me->dash = 0;
91	- me->bpos = me->boundary;
92	- me->state = EOL_BEGIN;
93	- }
94	- }
95	- if (*b == '-') {
96	- me->dash++;
97	- } else if (b != CR && b != LF) {
98	- me->dash = 0;
99	- me->state = EOL_BEGIN;
100	- }
101	- } else if (me->state == EOL_SLF) { /* Look for closing '--' */
102	- if (me->dash == 4) {
103	- if (end > start) {
104	- int status = PUTBLOCK(start, end-start);
105	- if (status != HT_OK) return status;
106	+ /*
107	+ ** The HTBoundary object gets attached downstream of HTMime.
108	+ ** The HTBoundary object creates another HTMime object downstream of
109	+ ** the HTBoundary object.
110	+ **
111	+ ** When we push data downstream to the second HTBoundary object, it
112	+ ** updates the bytes read count in the HTNet object.
113	+ **
114	+ ** When we return to the parent HTMime object, itupdates the
115	+ ** bytes read count in the HTNet object again. Oops.
116	+ **
117	+ ** Same thing happens with the consumed byte count. We can prevent
118	+ ** the consumed byte counts from being updated by temporary setting
119	+ ** the input channel stream pointer to NULL, but for the byte counts
120	+ ** we have to save them and restore them before existing.
121	+ **
122	+ ** This bug was discovered by chance when a multipart/partial response
123	+ ** was partially received, and as a result of double-counting the
124	+ ** real response got cut off (because HTMime thought that more bytes
125	+ ** were processed than actually were, thus it processed only the
126	+ ** partial count of the remaining bytes in the response). When the
127	+ ** multipart/partial response was received all at once this bug did
128	+ ** not get triggered.
129	+ */
130	+
131	+ HTHost *host=HTNet_host(me->net);
132	+ HTChannel *c=HTHost_channel(host);
133	+ HTInputStream *i=HTChannel_input(c);
134	+
135	+ long saveBytesRead=HTNet_bytesRead(me->net);
136	+ long saveHeaderBytesRead=HTNet_headerBytesRead(me->net);
137	+
138	+ if (i)
139	+ HTChannel_setInput(c, NULL);
140	+
141	+ HTTRACE(STREAM_TRACE, "Boundary: processing %d bytes\n" _ l);
142	+ /* Main loop consumes all input */
143	+
144	+ while (l)
145	+ {
146	+ int n= (*me->state)(me, b, l);
147	+
148	+ if (n == 0)
149	+ return HT_ERROR;
150	+ b += n;
151	+ l -= n;
152	+ }
153	+
154	+ if (i)
155	+ HTChannel_setInput(c, i);
156	+ HTNet_setBytesRead(me->net, saveBytesRead);
157	+ HTNet_setHeaderBytesRead(me->net, saveHeaderBytesRead);
158	+
159	+ return HT_OK;
160	+}
161	+
162	+/*
163	+** Start of line, keptcrlf=YES if we've kept the preceding CRLF from downstream
164	+** and we'll pass it along if we decide that this is not a boundary delimiter.
165	+*/
166	+
167	+PRIVATE int start_of_line (HTStream * me, const char * b, int l)
168	+{
169	+ if (*b != '-')
170	+ return not_delimiter(me, b, l, 0);
171	+
172	+ HTTRACE(STREAM_TRACE, "Boundary: start of line: input '-'\n");
173	+
174	+ me->state= seen_dash;
175	+
176	+ return 1;
177	+}
178	+
179	+/*
180	+** Line: -
181	+*/
182	+
183	+PRIVATE int seen_dash (HTStream * me, const char * b, int l)
184	+{
185	+ if (*b != '-')
186	+ return not_delimiter(me, b, l, 1);
187	+
188	+ HTTRACE(STREAM_TRACE, "Boundary: start of line: input '--'\n");
189	+
190	+ me->state= seen_doubledash;
191	+ me->boundary_ptr=me->boundary;
192	+ return 1;
193	+}
194	+
195	+/*
196	+** Line: --
197	+*/
198	+
199	+PRIVATE int seen_doubledash (HTStream * me, const char * b, int l)
200	+{
201	+ me->state=seen_doubledash;
202	+
203	+ if (*me->boundary_ptr)
204	+ {
205	+ if (b != me->boundary_ptr)
206	+ {
207	+ return not_delimiter(me, b, l,
208	+ me->boundary_ptr - me->boundary
209	+ + 2);
210	}
211	- HTTRACE(STREAM_TRACE, "Boundary.... Ending\n");
212	- start = b;
213	- me->dash = 0;
214	- me->state = EOL_BEGIN;
215	- }
216	- if (*b == '-') {
217	- me->dash++;
218	- } else if (b != CR && b != LF) {
219	- me->dash = 0;
220	- me->state = EOL_BEGIN;
221	+ ++me->boundary_ptr;
222	+ return 1;
223	}
224	- me->body = NO;
225	- } else if (me->state == EOL_DOT) {
226	- int status;
227	- if (me->body) {
228	- if (me->target) FREE_TARGET;
229	+
230	+ /*
231	+ ** Line: --delimiter
232	+ */
233	+
234	+ if (*b == '-')
235	+ {
236	+ HTTRACE(STREAM_TRACE,
237	+ "Boundary: start of line: input '--%s-'\n"
238	+ _ me->boundary);
239	+
240	+ me->state=seen_delimiter_dash;
241	+ return 1;
242	+ }
243	+
244	+ HTTRACE(STREAM_TRACE,
245	+ "Boundary: Found: '--%s'\n" _ me->boundary);
246	+
247	+ return seen_delimiter_nonterminal(me, b, l);
248	+}
249	+
250	+/*
251	+** Line: --delimiter
252	+**
253	+** Waiting for CRLF.
254	+*/
255	+
256	+
257	+PRIVATE int seen_delimiter_nonterminal(HTStream * me, const char * b, int l)
258	+{
259	+ UNUSED(l);
260	+
261	+ me->state=seen_delimiter_nonterminal;
262	+ if (*b == CR)
263	+ me->state=seen_delimiter_nonterminal_CR;
264	+
265	+ return 1;
266	+}
267	+
268	+/*
269	+** Line: --delimiter<CR>
270	+*/
271	+
272	+PRIVATE int seen_delimiter_nonterminal_CR(HTStream * me, const char * b, int l)
273	+{
274	+ HTTRACE(STREAM_TRACE,
275	+ "Boundary: Found: '--%s<CR>'\n" _ me->boundary);
276	+
277	+ if (*b != LF)
278	+ return seen_delimiter_nonterminal(me, b, l);
279	+
280	+ HTTRACE(STREAM_TRACE,
281	+ "Boundary: Found: '--%s<CR><LF>'\n" _ me->boundary);
282	+
283	+ process_boundary(me, NO);
284	+ return 1;
285	+}
286	+
287	+/*
288	+** Line: --delimiter-
289	+*/
290	+
291	+PRIVATE int seen_delimiter_dash(HTStream * me, const char * b, int l)
292	+{
293	+ if (*b != '-')
294	+ return seen_delimiter_nonterminal(me, b, l);
295	+
296	+ HTTRACE(STREAM_TRACE,
297	+ "Boundary: start of line: input '--%s--'\n"
298	+ _ me->boundary);
299	+
300	+ me->state=seen_delimiter_terminal;
301	+ return 1;
302	+}
303	+
304	+/*
305	+** Line: --delimiter--
306	+*/
307	+
308	+PRIVATE int seen_delimiter_terminal(HTStream * me, const char * b, int l)
309	+{
310	+ UNUSED(l);
311	+
312	+ me->state=seen_delimiter_terminal;
313	+
314	+ if (*b == CR)
315	+ me->state=seen_delimiter_terminal_CR;
316	+ return 1;
317	+}
318	+/*
319	+** Line: --delimiter--<CR>
320	+*/
321	+
322	+PRIVATE int seen_delimiter_terminal_CR(HTStream * me, const char * b, int l)
323	+{
324	+ HTTRACE(STREAM_TRACE,
325	+ "Boundary: Found '--%s--<CR>'\n"
326	+ _ me->boundary);
327	+
328	+ if (*b != LF)
329	+ return seen_delimiter_terminal(me, b, l);
330	+ HTTRACE(STREAM_TRACE,
331	+ "Boundary: Found '--%s--<CR><LF>'\n"
332	+ _ me->boundary);
333	+
334	+ process_boundary(me, YES);
335	+ return 1;
336	+}
337	+
338	+/*
339	+** Beginning of the line does not contain a delimiter.
340	+**
341	+**
342	+** extra: Count of characters in a partially matched delimiter. Since it's
343	+** not a delimiter this is content that needs to go downstream.
344	+*/
345	+
346	+PRIVATE int not_delimiter(HTStream * me, const char * b, int l, int extra)
347	+{
348	+ HTTRACE(STREAM_TRACE, "Boundary: not a delimiter line\n");
349	+
350	+ if (me->keptcrlf)
351	+ {
352	+ HTTRACE(STREAM_TRACE, "Boundary: Sending previous line's <CR><LF>\n");
353	+ /*
354	+ ** Did not process CRLF from previous line, because prev CRLF
355	+ ** is considered a part of the delimiter. See MIME RFC.
356	+ */
357	+
358	+ me->keptcrlf=NO;
359	+ if (PUTBLOCK("\r\n", 2) != HT_OK)
360	+ return 0;
361	+ }
362	+
363	+ /*
364	+ ** Potentially matched some of: --DELIMITER
365	+ */
366	+
367	+ if (extra)
368	+ {
369	+ HTTRACE(STREAM_TRACE, "Boundary: Sending partially-matched %d characters\n" _ extra);
370	+
371	+ if (PUTBLOCK("--", extra > 2 ? 2:extra) != HT_OK)
372	+ return 0;
373	+
374	+ if (extra > 2)
375	+ if (PUTBLOCK(me->boundary, extra-2) != HT_OK)
376	+ return 0;
377	+ }
378	+ return seen_nothing(me, b, l);
379	+}
380	+
381	+/*
382	+** We're not looking for a delimiter. Look for the next line of input
383	+** in the data that could potentially be a delimiter.
384	+*/
385	+
386	+PRIVATE int seen_nothing(HTStream * me, const char * b, int l)
387	+{
388	+ int i;
389	+
390	+ me->state=seen_nothing;
391	+
392	+ for (i=0; i<l; i++)
393	+ {
394	+ if (b[i] != CR)
395	+ continue;
396	+
397	+ /*
398	+ ** If we have at least four more characters in unconsumed
399	+ ** input, and they're not \r\n--, we can safely skip over
400	+ ** them.
401	+ */
402	+
403	+ if (l-i > 4 &&
404	+ strncmp(b+i, "\r\n--", 4))
405	+ continue;
406	+ break;
407	+ }
408	+
409	+ if (i == 0)
410	+ {
411	+ /* Could only be a CR here. */
412	+
413	+ me->state=seen_cr;
414	+ return 1;
415	+ }
416	+
417	+ HTTRACE(STREAM_TRACE, "Boundary: Processed %d (out of %d) bytes\n"
418	+ _ i _ l);
419	+
420	+ if (PUTBLOCK(b, i) != HT_OK)
421	+ return 0;
422	+
423	+ return i;
424	+}
425	+
426	+/*
427	+** State: seen a CR
428	+*/
429	+
430	+PRIVATE int seen_cr(HTStream * me, const char * b, int l)
431	+{
432	+ HTTRACE(STREAM_TRACE, "Boundary: Processed <CR>\n");
433	+
434	+ if (*b != LF)
435	+ {
436	+ HTTRACE(STREAM_TRACE, "Boundary: ... <LF> didn't follow\n");
437	+ if (PUTBLOCK("\r", 1) != HT_OK)
438	+ return 0;
439	+ return seen_nothing(me, b, l);
440	+ }
441	+
442	+ HTTRACE(STREAM_TRACE, "Boundary: Processed <CR><LF>\n");
443	+ me->state=start_of_line;
444	+ me->keptcrlf=YES;
445	+ return 1;
446	+}
447	+
448	+PRIVATE void process_boundary(HTStream *me, int isterminal)
449	+{
450	+ HTBoundary_flush(me);
451	+ if (me->target) FREE_TARGET;
452	+ me->target=NULL;
453	+ me->state=start_of_line;
454	+ me->keptcrlf=NO;
455	+
456	+ if (!isterminal)
457	me->target = HTStreamStack(WWW_MIME,me->format,
458	HTMerge(me->orig_target, 2),
459	me->request, YES);
460	- if (end > start) {
461	- if ((status = PUTBLOCK(start, end-start)) != HT_OK)
462	- return status;
463	- }
464	- } else {
465	- if (me->debug)
466	- if ((status = PUTDEBUG(start, end-start)) != HT_OK)
467	- return status;
468	- }
469	- start = b;
470	- if (*b == '-') me->dash++;
471	- me->state = EOL_SLF;
472	- } else if (*b == CR) {
473	- me->state = EOL_FCR;
474	- end = b;
475	- } else if (*b == LF) {
476	- if (me->state != EOL_FCR) end = b;
477	- me->state = EOL_FLF;
478	- }
479	- b++;
480	- }
481	- return (start<b && me->body) ? PUTBLOCK(start, b-start) : HT_OK;
482	}
483
484	+
485	PRIVATE int HTBoundary_put_string (HTStream * me, const char * s)
486	{
487	return HTBoundary_put_block(me, s, (int) strlen(s));
488	@@ -133,6 +427,8 @@ PRIVATE int HTBoundary_put_character (HT
489
490	PRIVATE int HTBoundary_flush (HTStream * me)
491	{
492	+ if (me->target == NULL)
493	+ return HT_OK;
494	return (*me->target->isa->flush)(me->target);
495	}
496
497	@@ -182,18 +478,26 @@ PUBLIC HTStream * HTBoundary (HTReques
498	HTResponse_formatParam(response) :
499	HTAnchor_formatParam(anchor);
500	char * boundary = HTAssocList_findObject(type_param, "boundary");
501	+
502	+ UNUSED(param);
503	+ UNUSED(input_format);
504	+
505	if (boundary) {
506	HTStream * me;
507	if ((me = (HTStream *) HT_CALLOC(1, sizeof(HTStream))) == NULL)
508	HT_OUTOFMEM("HTBoundary");
509	me->isa = &HTBoundaryClass;
510	+ me->net = HTRequest_net(request);
511	me->request = request;
512	me->format = output_format;
513	me->orig_target = output_stream;
514	me->debug = HTRequest_debugStream(request);
515	- me->state = EOL_FLF;
516	+
517	+ me->state = start_of_line;
518	+ me->keptcrlf=NO;
519	+
520	StrAllocCopy(me->boundary, boundary); /* Local copy */
521	- me->bpos = me->boundary;
522	+
523	HTTRACE(STREAM_TRACE, "Boundary.... Stream created with boundary '%s\'\n" _ me->boundary);
524	return me;
525	} else {

Line 0 Link Here

(-)files/patch-modules_expat_xmlparse_xmlparse.c (+16 lines)
	1	# $FreeBSD$
	2
	3	# CVE-2009-3560
	4
	5	--- modules/expat/xmlparse/xmlparse.c.orig 2000-08-28 08:52:01 UTC
	6	+++ modules/expat/xmlparse/xmlparse.c
	7	@@ -2199,6 +2199,9 @@ doProlog(XML_Parser parser,
	8	return XML_ERROR_UNCLOSED_TOKEN;
	9	case XML_TOK_PARTIAL_CHAR:
	10	return XML_ERROR_PARTIAL_CHAR;
	11	+ case -XML_TOK_PROLOG_S:
	12	+ tok = -tok;
	13	+ break;
	14	case XML_TOK_NONE:
	15	#ifdef XML_DTD
	16	if (enc != encoding)

Line 0 Link Here

(-)files/patch-modules_expat_xmltok_xmltok__impl.c (+15 lines)
	1	# $FreeBSD$
	2
	3	# CVE-2009-3720
	4
	5	--- modules/expat/xmltok/xmltok_impl.c.orig 2000-08-28 08:52:01 UTC
	6	+++ modules/expat/xmltok/xmltok_impl.c
	7	@@ -1753,7 +1753,7 @@ void PREFIX(updatePosition)(const ENCODI
	8	const char *end,
	9	POSITION *pos)
	10	{
	11	- while (ptr != end) {
	12	+ while (ptr < end) {
	13	switch (BYTE_TYPE(enc, ptr)) {
	14	#define LEAD_CASE(n) \
	15	case BT_LEAD ## n: \