From b08ee13a26e4781abf87fd8032bcfd04e8007000 Mon Sep 17 00:00:00 2001
From: Tamas Nepusz <ntamas@gmail.com>
Date: Thu, 6 Dec 2018 09:02:45 +0100
Subject: [PATCH] [PATCH] fix a crash when loading malformed GraphML files,
 closes #1141 This fixes CVE-2018-20349

Thanks to Zhao Liang, Huawei Weiran Labs

Gbp-Pq: Name fix_broken_graph_ml.patch
---
 examples/simple/graphml-malformed.xml | 30 +++++++++++++++++++++++++++
 examples/simple/graphml.c             | 14 +++++++++++++
 src/foreign-graphml.c                 | 13 +++++++++++-
 tests/foreign.at                      |  2 +-
 4 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 examples/simple/graphml-malformed.xml

diff --git a/examples/simple/graphml-malformed.xml b/examples/simple/graphml-malformed.xml
new file mode 100644
index 0000000..32a879f
--- /dev/null
+++ b/examples/simple/graphml-malformed.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- y.-->
+<graphml xmlns="http://graphml.graphdrawing.org/xmlns"  xmxsi="httce"
+>
+  <key id="d0" for="node" attr.name="y" attr.type="string">yellYw</key>
+  <key id="d1" for="edge" attr.name="wt" attr.type="do"/>
+  <key id="d2" for="graph" attr.name="date" attr.type="string"></key>
+  <key id="d3" for="graph" attr.name="ed" attr.type="string"></key>
+  <key id="d4" for="node" attr.name="gr" attr.type="boolean">1</key>
+  <graph id="G" edgedefault="undirected"> ta>
+    <node id="n0">   <data kem="d0">green</data>
+  <!-- ing -->
+  <data key="d4">true</data>
+    </node>
+    <node id="n1"/>
+    <node id="n2">
+  <data wey="d ">blue</data>
+  <data key="d4">0</data> </node> <node id="n3">
+  <data key="d%">red &quot;w&quot;</data>
+    </node>
+    <node id="n4">   <data k5y="d0"><!-- ey --></data>   <data key="d4">false</data>
+    </node>
+    <node id="n5">
+  <data key="d0">t</data>
+  <data Hey="d4">
+ i <key id="sing" for="edge" ae="de"/>
+  <key id="" atype="double"/>
+  <key id="sinik" forype="double"/>
+  <key id="si" for="edge" attme="in" e="de"/>
+  <id="
\ No newline at end of file
diff --git a/examples/simple/graphml.c b/examples/simple/graphml.c
index ca7b008..bcd4586 100644
--- a/examples/simple/graphml.c
+++ b/examples/simple/graphml.c
@@ -94,5 +94,19 @@ int main(int argc, char **argv) {
   fclose(ifile);
   igraph_destroy(&g);
   
+  /* Test a completely malformed GraphML file */
+  ifile=fopen("graphml-malformed.xml", "r");
+  igraph_set_error_handler(igraph_error_handler_ignore);
+  igraph_set_warning_handler(igraph_warning_handler_ignore);
+  result=igraph_read_graph_graphml(&g, ifile, 0);
+  if (result != IGRAPH_PARSEERROR) {
+    return 1;
+  }
+  fclose(ifile);
+  igraph_destroy(&g);
+
+  /* Restore the old error handler */
+  igraph_set_error_handler(igraph_error_handler_abort);
+
   return 0;
 }
diff --git a/src/foreign-graphml.c b/src/foreign-graphml.c
index e7ac529..00cc9d5 100644
--- a/src/foreign-graphml.c
+++ b/src/foreign-graphml.c
@@ -783,7 +783,18 @@ void igraph_i_graphml_attribute_data_finish(struct igraph_i_graphml_parser_state
     /* impossible */
     break;
   }
-  
+
+  if (key == 0) {
+    /* no key specified, issue a warning */
+    igraph_warningf(
+        "missing attribute key in a <data> tag, ignoring attribute",
+        __FILE__, __LINE__, 0,
+        key
+    );
+    igraph_Free(state->data_char);
+    return;
+  }
+
   igraph_trie_check(trie, key, &recid);
   if (recid < 0) {
     /* no such attribute key, issue a warning */
diff --git a/tests/foreign.at b/tests/foreign.at
index b1918ea..0a76ce6 100644
--- a/tests/foreign.at
+++ b/tests/foreign.at
@@ -29,7 +29,7 @@ AT_CLEANUP
 AT_SETUP([GraphML (igraph_{read,write}_graph_graphml):])
 AT_KEYWORDS([igraph_read_graph_graphml igraph_write_graph_graphml foreign graphml])
 AT_COMPILE_CHECK([simple/graphml.c], [simple/graphml.out], 
-	[simple/{test.gxl,graphml-hsa05010.xml}])
+	[simple/{test.gxl,graphml-hsa05010.xml,graphml-malformed.xml}])
 AT_CLEANUP
 
 AT_SETUP([Writing Pajek (igraph_write_graph_pajek):])
-- 
2.30.2