Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

expat:

 * add security fix for [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283 CVE-2015-1283] 


git-svn-id: file:///var/svn/freetz/trunk@13373 149334a1-2f27-0410-a3b9-fc62619ac1e6
  • Loading branch information...
commit 130589eccc7cfe5b23771438cba29b280d7d66e2 1 parent aa10a27
er13 authored
Showing with 88 additions and 0 deletions.
  1. +88 −0 make/libs/expat/patches/510-CVE-2015-1283.debian.patch
View
88 make/libs/expat/patches/510-CVE-2015-1283.debian.patch
@@ -0,0 +1,88 @@
+Description: fix multiple integer overflows in the XML_GetBuffer function
+ Multiple integer overflows in the XML_GetBuffer function in Expat through
+ 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products,
+ allow remote attackers to cause a denial of service (heap-based buffer
+ overflow) or possibly have unspecified other impact via crafted XML data,
+ a related issue to CVE-2015-2716.
+Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
+Author: Eric Rahm <erahm@mozilla.com>
+Forwarded: not-needed
+Last-Update: 2015-07-24
+
+
+Bug-Debian: https://bugs.debian.org/764130
+Author: Markus Hoenicka <markus.hoenicka@mhoenicka.de>
+Last-Update: 2014-11-01
+
+
+--- lib/xmlparse.c
++++ lib/xmlparse.c
+@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l
+ XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
+ positionPtr = bufferPtr;
+ return result;
+ }
+
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+ return NULL;
+ case XML_FINISHED:
+ errorCode = XML_ERROR_FINISHED;
+ return NULL;
+ default: ;
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize <= bufferLim - buffer) {
+@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len
+ }
+ else {
+ char *newBuf;
+ int bufferSize = (int)(bufferLim - bufferPtr);
+ if (bufferSize == 0)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+ bufferLim = newBuf + bufferSize;
+ #ifdef XML_CONTEXT_BYTES
+ if (bufferPtr) {

0 comments on commit 130589e

Please sign in to comment.
Something went wrong with that request. Please try again.