Revision: 7236
http://sourceforge.net/p/astlinux/code/7236
Author: abelbeck
Date: 2015-09-01 23:32:22 +0000 (Tue, 01 Sep 2015)
Log Message:
-----------
expat, add security patch for CVE-2015-1283 from upstream Buildroot, effects prosody
Ref: http://git.buildroot.net/buildroot/commit/package?id=67d6276c1bd050b362b11658ae0c7b4da73e227e
Added Paths:
-----------
branches/1.0/package/expat/expat-0001-fix-CVE-2015-1283.patch
Added: branches/1.0/package/expat/expat-0001-fix-CVE-2015-1283.patch
===================================================================
--- branches/1.0/package/expat/expat-0001-fix-CVE-2015-1283.patch (rev 0)
+++ branches/1.0/package/expat/expat-0001-fix-CVE-2015-1283.patch 2015-09-01 23:32:22 UTC (rev 7236)
@@ -0,0 +1,75 @@
+
+Signed-off-by: Gustavo Zacarias <gu...@za...>
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l
+ XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
+ positionPtr = bufferPtr;
+ return result;
+ }
+
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+ return NULL;
+ case XML_FINISHED:
+ errorCode = XML_ERROR_FINISHED;
+ return NULL;
+ default: ;
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize <= bufferLim - buffer) {
+@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len
+ }
+ else {
+ char *newBuf;
+ int bufferSize = (int)(bufferLim - bufferPtr);
+ if (bufferSize == 0)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+ bufferLim = newBuf + bufferSize;
+ #ifdef XML_CONTEXT_BYTES
+ if (bufferPtr) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
