-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Note, CVE-2015-1283 is already patched in expat version 2.1.1 but, as explained in the patch, the fix was insufficient.
- Loading branch information
Showing
3 changed files
with
794 additions
and
0 deletions.
There are no files selected for viewing
37 changes: 37 additions & 0 deletions
37
pkgs/development/libraries/expat/CVE-2015-1283-refix.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001 | ||
From: Pascal Cuoq <cuoq@trust-in-soft.com> | ||
Date: Sun, 15 May 2016 09:05:46 +0200 | ||
Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It | ||
does not really work: https://godbolt.org/g/Zl8gdF | ||
|
||
--- | ||
expat/lib/xmlparse.c | 6 ++++-- | ||
1 file changed, 4 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/lib/xmlparse.c b/lib/xmlparse.c | ||
index 13e080d..cdb12ef 100644 | ||
--- a/lib/xmlparse.c | ||
+++ b/lib/xmlparse.c | ||
@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len) | ||
} | ||
|
||
if (len > bufferLim - bufferEnd) { | ||
- int neededSize = len + (int)(bufferEnd - bufferPtr); | ||
+ /* Do not invoke signed arithmetic overflow: */ | ||
+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); | ||
if (neededSize < 0) { | ||
errorCode = XML_ERROR_NO_MEMORY; | ||
return NULL; | ||
@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len) | ||
if (bufferSize == 0) | ||
bufferSize = INIT_BUFFER_SIZE; | ||
do { | ||
- bufferSize *= 2; | ||
+ /* Do not invoke signed arithmetic overflow: */ | ||
+ bufferSize = (int) (2U * (unsigned) bufferSize); | ||
} while (bufferSize < neededSize && bufferSize > 0); | ||
if (bufferSize <= 0) { | ||
errorCode = XML_ERROR_NO_MEMORY; | ||
-- | ||
2.8.2 | ||
|
Oops, something went wrong.