1 |
tetromino 15/07/30 02:18:34 |
2 |
|
3 |
Added: expat-2.1.0-mozilla-sanity-check-size.patch |
4 |
Log: |
5 |
Fix buffer overflow (bug #555642, CVE-2015-1283, thanks to Agostino Sarubbo and Paweł Hajdan, Jr.). Improve description. Clean out old ebuilds. |
6 |
|
7 |
(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 0x18E5B6F2D8D5EC8D) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 dev-libs/expat/files/expat-2.1.0-mozilla-sanity-check-size.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/expat/files/expat-2.1.0-mozilla-sanity-check-size.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/expat/files/expat-2.1.0-mozilla-sanity-check-size.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: expat-2.1.0-mozilla-sanity-check-size.patch |
16 |
=================================================================== |
17 |
|
18 |
# HG changeset patch |
19 |
# User Eric Rahm <erahm@×××××××.com> |
20 |
# Date 1428706223 25200 |
21 |
# Node ID 438d9e2a991ab82381a1a1442a470b2565c80c13 |
22 |
# Parent 1c0861d7a6457f461cccccb2e0895a9f9d34c8d4 |
23 |
Bug 1140537 - Sanity check size calculations. r=peterv |
24 |
|
25 |
diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c |
26 |
--- a/parser/expat/lib/xmlparse.c |
27 |
+++ b/parser/expat/lib/xmlparse.c |
28 |
@@ -1648,29 +1648,40 @@ XML_ParseBuffer(XML_Parser parser, int l |
29 |
XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); |
30 |
positionPtr = bufferPtr; |
31 |
return result; |
32 |
} |
33 |
|
34 |
void * XMLCALL |
35 |
XML_GetBuffer(XML_Parser parser, int len) |
36 |
{ |
37 |
+/* BEGIN MOZILLA CHANGE (sanity check len) */ |
38 |
+ if (len < 0) { |
39 |
+ errorCode = XML_ERROR_NO_MEMORY; |
40 |
+ return NULL; |
41 |
+ } |
42 |
+/* END MOZILLA CHANGE */ |
43 |
switch (ps_parsing) { |
44 |
case XML_SUSPENDED: |
45 |
errorCode = XML_ERROR_SUSPENDED; |
46 |
return NULL; |
47 |
case XML_FINISHED: |
48 |
errorCode = XML_ERROR_FINISHED; |
49 |
return NULL; |
50 |
default: ; |
51 |
} |
52 |
|
53 |
if (len > bufferLim - bufferEnd) { |
54 |
- /* FIXME avoid integer overflow */ |
55 |
int neededSize = len + (int)(bufferEnd - bufferPtr); |
56 |
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ |
57 |
+ if (neededSize < 0) { |
58 |
+ errorCode = XML_ERROR_NO_MEMORY; |
59 |
+ return NULL; |
60 |
+ } |
61 |
+/* END MOZILLA CHANGE */ |
62 |
#ifdef XML_CONTEXT_BYTES |
63 |
int keep = (int)(bufferPtr - buffer); |
64 |
|
65 |
if (keep > XML_CONTEXT_BYTES) |
66 |
keep = XML_CONTEXT_BYTES; |
67 |
neededSize += keep; |
68 |
#endif /* defined XML_CONTEXT_BYTES */ |
69 |
if (neededSize <= bufferLim - buffer) { |
70 |
@@ -1689,17 +1700,25 @@ XML_GetBuffer(XML_Parser parser, int len |
71 |
} |
72 |
else { |
73 |
char *newBuf; |
74 |
int bufferSize = (int)(bufferLim - bufferPtr); |
75 |
if (bufferSize == 0) |
76 |
bufferSize = INIT_BUFFER_SIZE; |
77 |
do { |
78 |
bufferSize *= 2; |
79 |
- } while (bufferSize < neededSize); |
80 |
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ |
81 |
+ } while (bufferSize < neededSize && bufferSize > 0); |
82 |
+/* END MOZILLA CHANGE */ |
83 |
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ |
84 |
+ if (bufferSize <= 0) { |
85 |
+ errorCode = XML_ERROR_NO_MEMORY; |
86 |
+ return NULL; |
87 |
+ } |
88 |
+/* END MOZILLA CHANGE */ |
89 |
newBuf = (char *)MALLOC(bufferSize); |
90 |
if (newBuf == 0) { |
91 |
errorCode = XML_ERROR_NO_MEMORY; |
92 |
return NULL; |
93 |
} |
94 |
bufferLim = newBuf + bufferSize; |
95 |
#ifdef XML_CONTEXT_BYTES |
96 |
if (bufferPtr) { |