From 20e259518d8fc53a5b99eb686f64e38a2e77d0b3 Mon Sep 17 00:00:00 2001
From: Nan Zhang <nanzhang@google.com>
Date: Fri, 14 Sep 2018 18:16:22 +0000
Subject: Revert "Security Vulnerability - CVE-2012-6702 and CVE-2016-5300"

This reverts commit caf0317e4cd0cd19a1bed5e2c68ca2bc86b0f7ba.

Reason for revert:
Revert this patch for now so that we can let AOSP merge-CL (go/oag/756770) flow down. The upstream Python probably fixed this issue.

Test: m -j
Bug: b/29149404
Change-Id: Ic84d041956ea244041182a9113deaf54edee6b0b
---
 Modules/expat/xmlparse.c | 59 ++++++++++--------------------------------------
 1 file changed, 12 insertions(+), 47 deletions(-)

diff --git a/Modules/expat/xmlparse.c b/Modules/expat/xmlparse.c
index 3f0939e88d..412838794d 100644
--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -2,20 +2,6 @@
    See the file COPYING for copying permission.
 */
 
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>                     /* memset(), memcpy() */
-#include <assert.h>
-#include <limits.h>                     /* UINT_MAX */
-
-#ifdef COMPILED_FROM_DSP
-#define getpid GetCurrentProcessId
-#else
-#include <sys/time.h>                   /* gettimeofday() */
-#include <sys/types.h>                  /* getpid() */
-#include <unistd.h>                     /* getpid() */
-#endif
-
 #define XML_BUILDING_EXPAT 1
 
 #ifdef COMPILED_FROM_DSP
@@ -30,6 +16,12 @@
 #include <expat_config.h>
 #endif /* ndef COMPILED_FROM_DSP */
 
+#include <stddef.h>
+#include <string.h>                     /* memset(), memcpy() */
+#include <assert.h>
+#include <limits.h>                     /* UINT_MAX */
+#include <time.h>                       /* time() */
+
 #include "ascii.h"
 #include "expat.h"
 
@@ -440,7 +432,7 @@ static ELEMENT_TYPE *
 getElementType(XML_Parser parser, const ENCODING *enc,
                const char *ptr, const char *end);
 
-static unsigned long generate_hash_secret_salt(XML_Parser parser);
+static unsigned long generate_hash_secret_salt(void);
 static XML_Bool startParsing(XML_Parser parser);
 
 static XML_Parser
@@ -699,38 +691,11 @@ static const XML_Char implicitContext[] = {
 };
 
 static unsigned long
-gather_time_entropy(void)
-{
-#ifdef COMPILED_FROM_DSP
-  FILETIME ft;
-  GetSystemTimeAsFileTime(&ft); /* never fails */
-  return ft.dwHighDateTime ^ ft.dwLowDateTime;
-#else
-  struct timeval tv;
-  int gettimeofday_res;
-
-  gettimeofday_res = gettimeofday(&tv, NULL);
-  assert (gettimeofday_res == 0);
-
-  /* Microseconds time is <20 bits entropy */
-  return tv.tv_usec;
-#endif
-}
-
-static unsigned long
-generate_hash_secret_salt(XML_Parser parser)
+generate_hash_secret_salt(void)
 {
-  /* Process ID is 0 bits entropy if attacker has local access
-   * XML_Parser address is few bits of entropy if attacker has local access */
-  const unsigned long entropy =
-      gather_time_entropy() ^ getpid() ^ (uintptr_t)parser;
-
-  /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
-  if (sizeof(unsigned long) == 4) {
-    return entropy * 2147483647;
-  } else {
-    return entropy * 2305843009213693951;
-  }
+  unsigned int seed = time(NULL) % UINT_MAX;
+  srand(seed);
+  return rand();
 }
 
 static XML_Bool  /* only valid for root parser */
@@ -738,7 +703,7 @@ startParsing(XML_Parser parser)
 {
     /* hash functions must be initialized before setContext() is called */
     if (hash_secret_salt == 0)
-      hash_secret_salt = generate_hash_secret_salt(parser);
+      hash_secret_salt = generate_hash_secret_salt();
     if (ns) {
       /* implicit context only set for root parser, since child
          parsers (i.e. external entity parsers) will inherit it
-- 
cgit v1.2.3