From c53bfe587459b8969b9f2306e53762f1dcfd401f Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 14 Mar 2024 17:35:37 +0000 Subject: [PATCH] Cerry-pick fix for CVE-2024-28757 from libexpat. Detect billion laughs attack with isolated external parser. github commit 1d50b80cf31de87750103656f6eb693746854aa8 OK deraadt@ --- lib/libexpat/lib/xmlparse.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c index aaf0fa9c8f9..dfaa527af3a 100644 --- a/lib/libexpat/lib/xmlparse.c +++ b/lib/libexpat/lib/xmlparse.c @@ -7779,6 +7779,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { static float accountingGetCurrentAmplification(XML_Parser rootParser) { + // 1.........1.........12 => 22 + const size_t lenOfShortestInclude = sizeof("") - 1; const XmlBigCount countBytesOutput = rootParser->m_accounting.countBytesDirect + rootParser->m_accounting.countBytesIndirect; @@ -7786,7 +7788,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) { = rootParser->m_accounting.countBytesDirect ? (countBytesOutput / (float)(rootParser->m_accounting.countBytesDirect)) - : 1.0f; + : ((lenOfShortestInclude + + rootParser->m_accounting.countBytesIndirect) + / (float)lenOfShortestInclude); assert(! rootParser->m_parentParser); return amplificationFactor; } -- 2.20.1