tetromino 15/07/30 02:18:34 Added: expat-2.1.0-mozilla-sanity-check-size.patch Log: Fix buffer overflow (bug #555642, CVE-2015-1283, thanks to Agostino Sarubbo and Paweł Hajdan, Jr.). Improve description. Clean out old ebuilds. (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 0x18E5B6F2D8D5EC8D)
Revision Changes Path 1.1 dev-libs/expat/files/expat-2.1.0-mozilla-sanity-check-size.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/expat/files/expat-2.1.0-mozilla-sanity-check-size.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/expat/files/expat-2.1.0-mozilla-sanity-check-size.patch?rev=1.1&content-type=text/plain Index: expat-2.1.0-mozilla-sanity-check-size.patch =================================================================== # HG changeset patch # User Eric Rahm <[email protected]> # Date 1428706223 25200 # Node ID 438d9e2a991ab82381a1a1442a470b2565c80c13 # Parent 1c0861d7a6457f461cccccb2e0895a9f9d34c8d4 Bug 1140537 - Sanity check size calculations. r=peterv diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c --- a/parser/expat/lib/xmlparse.c +++ b/parser/expat/lib/xmlparse.c @@ -1648,29 +1648,40 @@ XML_ParseBuffer(XML_Parser parser, int l XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); positionPtr = bufferPtr; return result; } void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; return NULL; case XML_FINISHED: errorCode = XML_ERROR_FINISHED; return NULL; default: ; } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); if (keep > XML_CONTEXT_BYTES) keep = XML_CONTEXT_BYTES; neededSize += keep; #endif /* defined XML_CONTEXT_BYTES */ if (neededSize <= bufferLim - buffer) { @@ -1689,17 +1700,25 @@ XML_GetBuffer(XML_Parser parser, int len } else { char *newBuf; int bufferSize = (int)(bufferLim - bufferPtr); if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; return NULL; } bufferLim = newBuf + bufferSize; #ifdef XML_CONTEXT_BYTES if (bufferPtr) {
