Update libexpat to 2.2.2. Fixes NULL parser dereference.

no objections deraadt@

8 files changed, 162 insertions, 36 deletions

diff --git a/lib/libexpat/Changes b/lib/libexpat/Changes
index 3054c32347e..9fb36dda37c 100644
--- a/lib/libexpat/Changes
+++ b/lib/libexpat/Changes
@@ -2,6 +2,56 @@ NOTE: We are looking for help with a few things:
       https://github.com/libexpat/libexpat/labels/help%20wanted
       If you can help, please get in touch.  Thanks!
 
+Release 2.2.2 Wed July 12 2017
+        Security fixes:
+             #43  Protect against compilation without any source of high
+                    quality entropy enabled, e.g. with CMake build system;
+                    commit ff0207e6076e9828e536b8d9cd45c9c92069b895
+             #60  Windows with _UNICODE:
+                    Unintended use of LoadLibraryW with a non-wide string
+                    resulted in failure to load advapi32.dll and degradation
+                    in quality of used entropy when compiled with _UNICODE for
+                    Windows; you can launch existing binaries with
+                    EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
+                    quality of entropy used during runtime; commits
+                    * 95b95032f907ef1cd17ee7a9a1768010a825d61d
+                    * 73a5a2e9c081f49f2d775cf7ced864158b68dc80
+   [MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
+                    resulted in NULL dereference, previously;
+                    commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
+
+        Bug fixes:
+             #69  Fix improper use of unsigned long long integer literals
+
+        Other changes:
+             #73  Start requiring a C99 compiler
+             #49  Fix "==" Bashism in configure script
+             #50  Fix too eager getrandom detection for Debian GNU/kFreeBSD
+             #52    and macOS
+             #51  Address lack of stdint.h in Visual Studio 2003 to 2008
+             #58  Address compile warnings
+             #68  Fix "./buildconf.sh && ./configure" for some versions
+                    of Dash for /bin/sh
+             #72  CMake: Ease use of Expat in context of a parent project
+                    with multipe CMakeLists.txt files
+             #72  CMake: Resolve mistaken executable permissions
+             #76  Address compile warning with -DNDEBUG (not recommended!)
+             #77  Address compile warning about macro redefinition
+
+        Special thanks to:
+            Alexander Bluhm
+            Ben Boeckel
+            Cătălin Răceanu
+            Kerin Millar
+            László Böszörményi
+            S. P. Zeidler
+            Segev Finer
+            Václav Slavík
+            Victor Stinner
+            Viktor Szakats
+                 and
+            Radically Open Security
+
 Release 2.2.1 Sat June 17 2017
         Security fixes:
                   CVE-2017-9233 -- External entity infinite loop DoS
diff --git a/lib/libexpat/README b/lib/libexpat/README
index cd11a226c07..c86018f4aaf 100644
--- a/lib/libexpat/README
+++ b/lib/libexpat/README
@@ -1,5 +1,5 @@
 
-                        Expat, Release 2.2.1
+                        Expat, Release 2.2.2
 
 This is Expat, a C library for parsing XML, written by James Clark.
 Expat is a stream-oriented XML parser.  This means that you register
diff --git a/lib/libexpat/lib/expat.h b/lib/libexpat/lib/expat.h
index 28b0f954d41..b6b02f4955f 100644
--- a/lib/libexpat/lib/expat.h
+++ b/lib/libexpat/lib/expat.h
@@ -24,7 +24,6 @@ extern "C" {
 struct XML_ParserStruct;
 typedef struct XML_ParserStruct *XML_Parser;
 
-/* Should this be defined using stdbool.h when C99 is available? */
 typedef unsigned char XML_Bool;
 #define XML_TRUE   ((XML_Bool) 1)
 #define XML_FALSE  ((XML_Bool) 0)
@@ -1049,7 +1048,7 @@ XML_GetFeatureList(void);
 */
 #define XML_MAJOR_VERSION 2
 #define XML_MINOR_VERSION 2
-#define XML_MICRO_VERSION 1
+#define XML_MICRO_VERSION 2
 
 #ifdef __cplusplus
 }
diff --git a/lib/libexpat/lib/siphash.h b/lib/libexpat/lib/siphash.h
index 9a9271c67b7..30a6f11d93c 100644
--- a/lib/libexpat/lib/siphash.h
+++ b/lib/libexpat/lib/siphash.h
@@ -2,9 +2,8 @@
  * siphash.h - SipHash-2-4 in a single header file
  * --------------------------------------------------------------------------
  * Derived by William Ahern from the reference implementation[1] published[2]
- * by Jean-Philippe Aumasson and Daniel J. Berstein. Licensed in kind.
  * by Jean-Philippe Aumasson and Daniel J. Berstein.
- * Minimal changes by Sebastian Pipping on top, details below.
+ * Minimal changes by Sebastian Pipping and Victor Stinner on top, see below.
  * Licensed under the CC0 Public Domain Dedication license.
  *
  * 1. https://www.131002.net/siphash/siphash24.c
@@ -12,13 +11,22 @@
  * --------------------------------------------------------------------------
  * HISTORY:
  *
- * 2017-06-10  (Sebastian Pipping)
+ * 2017-07-05  (Sebastian Pipping)
+ *   - Use _SIP_ULL macro to not require a C++11 compiler if compiled as C++
+ *   - Add const qualifiers at two places
+ *   - Ensure <=80 characters line length (assuming tab width 4)
+ *
+ * 2017-06-23  (Victor Stinner)
+ *   - Address Win64 compile warnings
+ *
+ * 2017-06-18  (Sebastian Pipping)
  *   - Clarify license note in the header
  *   - Address C89 issues:
  *     - Stop using inline keyword (and let compiler decide)
  *     - Replace _Bool by int
  *     - Turn macro siphash24 into a function
  *     - Address invalid conversion (void pointer) by explicit cast
+ *   - Address lack of stdint.h for Visual Studio 2003 to 2008
  *   - Always expose sip24_valid (for self-tests)
  *
  * 2012-11-04 - Born.  (William Ahern)
@@ -75,7 +83,23 @@
 #define SIPHASH_H
 
 #include <stddef.h> /* size_t */
-#include <stdint.h> /* uint64_t uint32_t uint8_t */
+
+#if defined(_WIN32) && defined(_MSC_VER) && (_MSC_VER < 1600)
+  /* For vs2003/7.1 up to vs2008/9.0; _MSC_VER 1600 is vs2010/10.0 */
+  typedef unsigned __int8   uint8_t;
+  typedef unsigned __int32 uint32_t;
+  typedef unsigned __int64 uint64_t;
+#else
+ #include <stdint.h> /* uint64_t uint32_t uint8_t */
+#endif
+
+
+/*
+ * Workaround to not require a C++11 compiler for using ULL suffix
+ * if this code is included and compiled as C++; related GCC warning is:
+ * warning: use of C++11 long long integer constant [-Wlong-long]
+ */
+#define _SIP_ULL(high, low)  (((uint64_t)high << 32) | low)
 
 
 #define SIP_ROTL(x, b) (uint64_t)(((x) << (b)) | ( (x) >> (64 - (b))))
@@ -157,11 +181,12 @@ static void sip_round(struct siphash *H, const int rounds) {
 } /* sip_round() */
 
 
-static struct siphash *sip24_init(struct siphash *H, const struct sipkey *key) {
-	H->v0 = 0x736f6d6570736575ULL ^ key->k[0];
-	H->v1 = 0x646f72616e646f6dULL ^ key->k[1];
-	H->v2 = 0x6c7967656e657261ULL ^ key->k[0];
-	H->v3 = 0x7465646279746573ULL ^ key->k[1];
+static struct siphash *sip24_init(struct siphash *H,
+		const struct sipkey *key) {
+	H->v0 = _SIP_ULL(0x736f6d65U, 0x70736575U) ^ key->k[0];
+	H->v1 = _SIP_ULL(0x646f7261U, 0x6e646f6dU) ^ key->k[1];
+	H->v2 = _SIP_ULL(0x6c796765U, 0x6e657261U) ^ key->k[0];
+	H->v3 = _SIP_ULL(0x74656462U, 0x79746573U) ^ key->k[1];
 
 	H->p = H->buf;
 	H->c = 0;
@@ -172,7 +197,8 @@ static struct siphash *sip24_init(struct siphash *H, const struct sipkey *key) {
 
 #define sip_endof(a) (&(a)[sizeof (a) / sizeof *(a)])
 
-static struct siphash *sip24_update(struct siphash *H, const void *src, size_t len) {
+static struct siphash *sip24_update(struct siphash *H, const void *src,
+		size_t len) {
 	const unsigned char *p = (const unsigned char *)src, *pe = p + len;
 	uint64_t m;
 
@@ -197,7 +223,7 @@ static struct siphash *sip24_update(struct siphash *H, const void *src, size_t l
 
 
 static uint64_t sip24_final(struct siphash *H) {
-	char left = H->p - H->buf;
+	const char left = (char)(H->p - H->buf);
 	uint64_t b = (H->c + left) << 56;
 
 	switch (left) {
@@ -221,7 +247,8 @@ static uint64_t sip24_final(struct siphash *H) {
 } /* sip24_final() */
 
 
-static uint64_t siphash24(const void *src, size_t len, const struct sipkey *key) {
+static uint64_t siphash24(const void *src, size_t len,
+		const struct sipkey *key) {
 	struct siphash state = SIPHASH_INITIALIZER;
 	return sip24_final(sip24_update(sip24_init(&state, key), src, len));
 } /* siphash24() */
@@ -309,10 +336,11 @@ static int sip24_valid(void) {
 	struct sipkey k;
 	size_t i;
 
-	sip_tokey(&k, "\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017");
+	sip_tokey(&k, "\000\001\002\003\004\005\006\007\010\011"
+			"\012\013\014\015\016\017");
 
 	for (i = 0; i < sizeof in; ++i) {
-		in[i] = i;
+		in[i] = (unsigned char)i;
 
 		if (siphash24(in, i, &k) != SIP_U8TO64_LE(vectors[i]))
 			return 0;
@@ -327,7 +355,7 @@ static int sip24_valid(void) {
 #include <stdio.h>
 
 int main(void) {
-	int ok = sip24_valid();
+	const int ok = sip24_valid();
 
 	if (ok)
 		puts("OK");
diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c
index 890913bb647..f97e7a869b1 100644
--- a/lib/libexpat/lib/xmlparse.c
+++ b/lib/libexpat/lib/xmlparse.c
@@ -1,10 +1,12 @@
 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
    See the file COPYING for copying permission.
 
-   77fea421d361dca90041d0040ecf1dca651167fadf2af79e990e35168d70d933 (2.2.1+)
+   cd4063469a95eab9a93001afb109e3dee122cdda4635bbec36257fc01c327348 (2.2.2+)
 */
 
-#define _GNU_SOURCE                     /* syscall prototype */
+#if !defined(_GNU_SOURCE)
+# define _GNU_SOURCE 1                  /* syscall prototype */
+#endif
 
 #include <stddef.h>
 #include <string.h>                     /* memset(), memcpy() */
@@ -436,6 +438,9 @@ static ELEMENT_TYPE *
 getElementType(XML_Parser parser, const ENCODING *enc,
                const char *ptr, const char *end);
 
+static XML_Char *copyString(const XML_Char *s,
+                            const XML_Memory_Handling_Suite *memsuite);
+
 static unsigned long generate_hash_secret_salt(XML_Parser parser);
 static XML_Bool startParsing(XML_Parser parser);
 
@@ -827,6 +832,8 @@ parserCreate(const XML_Char *encodingName,
   nsAttsVersion = 0;
   nsAttsPower = 0;
 
+  protocolEncodingName = NULL;
+
   poolInit(&tempPool, &(parser->m_mem));
   poolInit(&temp2Pool, &(parser->m_mem));
   parserInit(parser, encodingName);
@@ -853,9 +860,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName)
 {
   processor = prologInitProcessor;
   XmlPrologStateInit(&prologState);
-  protocolEncodingName = (encodingName != NULL
-                          ? poolCopyString(&tempPool, encodingName)
-                          : NULL);
+  if (encodingName != NULL) {
+    protocolEncodingName = copyString(encodingName, &(parser->m_mem));
+  }
   curBase = NULL;
   XmlInitEncoding(&initEncoding, &encoding, 0);
   userData = NULL;
@@ -968,6 +975,8 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName)
     unknownEncodingRelease(unknownEncodingData);
   poolClear(&tempPool);
   poolClear(&temp2Pool);
+  FREE((void *)protocolEncodingName);
+  protocolEncodingName = NULL;
   parserInit(parser, encodingName);
   dtdReset(_dtd, &parser->m_mem);
   return XML_TRUE;
@@ -984,10 +993,16 @@ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName)
   */
   if (ps_parsing == XML_PARSING || ps_parsing == XML_SUSPENDED)
     return XML_STATUS_ERROR;
+
+  /* Get rid of any previous encoding name */
+  FREE((void *)protocolEncodingName);
+
   if (encodingName == NULL)
+    /* No new encoding name */
     protocolEncodingName = NULL;
   else {
-    protocolEncodingName = poolCopyString(&tempPool, encodingName);
+    /* Copy the new encoding name into allocated memory */
+    protocolEncodingName = copyString(encodingName, &(parser->m_mem));
     if (!protocolEncodingName)
       return XML_STATUS_ERROR;
   }
@@ -1222,6 +1237,7 @@ XML_ParserFree(XML_Parser parser)
   destroyBindings(inheritedBindings, parser);
   poolDestroy(&tempPool);
   poolDestroy(&temp2Pool);
+  FREE((void *)protocolEncodingName);
 #ifdef XML_DTD
   /* external parameter entity parsers share the DTD structure
      parser->m_dtd with the root parser, so we must not destroy it
@@ -1613,7 +1629,8 @@ enum XML_Status XMLCALL
 XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
 {
   if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) {
-    errorCode = XML_ERROR_INVALID_ARGUMENT;
+    if (parser != NULL)
+      parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
     return XML_STATUS_ERROR;
   }
   switch (ps_parsing) {
@@ -3599,6 +3616,7 @@ initializeEncoding(XML_Parser parser)
   const char *s;
 #ifdef XML_UNICODE
   char encodingBuf[128];
+  /* See comments abount `protoclEncodingName` in parserInit() */
   if (!protocolEncodingName)
     s = NULL;
   else {
@@ -6692,3 +6710,26 @@ getElementType(XML_Parser parser,
   }
   return ret;
 }
+
+static XML_Char *
+copyString(const XML_Char *s,
+           const XML_Memory_Handling_Suite *memsuite)
+{
+    int charsRequired = 0;
+    XML_Char *result;
+
+    /* First determine how long the string is */
+    while (s[charsRequired] != 0) {
+      charsRequired++;
+    }
+    /* Include the terminator */
+    charsRequired++;
+
+    /* Now allocate space for the copy */
+    result = memsuite->malloc_fcn(charsRequired * sizeof(XML_Char));
+    if (result == NULL)
+        return NULL;
+    /* Copy the original into place */
+    memcpy(result, s, charsRequired * sizeof(XML_Char));
+    return result;
+}
diff --git a/lib/libexpat/tests/memcheck.c b/lib/libexpat/tests/memcheck.c
index 0b1e5330cdf..4a24ddc1e42 100644
--- a/lib/libexpat/tests/memcheck.c
+++ b/lib/libexpat/tests/memcheck.c
@@ -167,7 +167,7 @@ tracking_report(void)
     for (entry = alloc_head; entry != NULL; entry = entry->next)
     {
         printf("Allocated %lu bytes at %p\n",
-               entry->num_bytes, entry->allocation);
+                (long unsigned)entry->num_bytes, entry->allocation);
     }
     return 0;
 }
diff --git a/lib/libexpat/tests/minicheck.h b/lib/libexpat/tests/minicheck.h
index 319c981dd10..3702cf8191d 100644
--- a/lib/libexpat/tests/minicheck.h
+++ b/lib/libexpat/tests/minicheck.h
@@ -26,12 +26,6 @@ extern "C" {
 #define __func__ __FUNCTION__
 #endif
 
-/* ISO C90 does not support '__func__' predefined identifier */
-#if (defined(__STDC_VERSION__) && (__STDC_VERSION__ < 199901)) || \
-    (defined(__GNUC__) && !defined(__STDC_VERSION__))
-# define __func__ "(unknown)"
-#endif
-
 #define START_TEST(testname) static void testname(void) { \
     _check_set_test_info(__func__, __FILE__, __LINE__);   \
     {
diff --git a/lib/libexpat/tests/runtests.c b/lib/libexpat/tests/runtests.c
index f205b5f9c35..5f5fde429fe 100644
--- a/lib/libexpat/tests/runtests.c
+++ b/lib/libexpat/tests/runtests.c
@@ -33,6 +33,18 @@
 #define XML_FMT_INT_MOD "l"
 #endif
 
+
+#if defined(NDEBUG)
+# error  \
+    The test suite relies on assert(...) at the moment. \
+    You have NDEBUG defined which removes that code so that failures in the \
+    test suite can go unnoticed. \
+    \
+    While we rely on assert(...), compiling the test suite with NDEBUG \
+    defined is not supported.
+#endif
+
+
 static XML_Parser parser = NULL;
 
 
@@ -247,7 +259,7 @@ START_TEST(test_siphash_spec)
     const char message[] = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
             "\x0a\x0b\x0c\x0d\x0e";
     const size_t len = sizeof(message) - 1;
-    const uint64_t expected = 0xa129ca6149be45e5ULL;
+    const uint64_t expected = _SIP_ULL(0xa129ca61U, 0x49be45e5U);
     struct siphash state;
     struct sipkey key;
     (void)sip_tobin;
@@ -489,9 +501,11 @@ START_TEST(test_utf8_auto_align)
         if (actualMovementInChars != cases[i].expectedMovementInChars) {
             size_t j = 0;
             success = false;
-            printf("[-] UTF-8 case %2lu: Expected movement by %2ld chars"
-                    ", actually moved by %2ld chars: \"",
-                    i + 1, cases[i].expectedMovementInChars, actualMovementInChars);
+            printf("[-] UTF-8 case %2u: Expected movement by %2d chars"
+                    ", actually moved by %2d chars: \"",
+                    (unsigned)(i + 1),
+                    (int)cases[i].expectedMovementInChars,
+                    (int)actualMovementInChars);
             for (; j < strlen(cases[i].input); j++) {
                 printf("\\x%02x", (unsigned char)cases[i].input[j]);
             }