aboutsummaryrefslogtreecommitdiff
path: root/package/expat
diff options
context:
space:
mode:
authorGravatar Gustavo Zacarias <gustavo@zacarias.com.ar>2015-09-01 15:42:29 -0300
committerGravatar Peter Korsgaard <peter@korsgaard.com>2015-09-01 21:56:34 +0200
commit67d6276c1bd050b362b11658ae0c7b4da73e227e (patch)
treec28e841b76c746e34d4b4f9bfc4c60cb53434016 /package/expat
parent064ceebf93687e3496d3039a432cb5da70bbb0f8 (diff)
downloadbuildroot-67d6276c1bd050b362b11658ae0c7b4da73e227e.tar.gz
buildroot-67d6276c1bd050b362b11658ae0c7b4da73e227e.tar.bz2
expat: add security patch for CVE-2015-1283
Fixes: CVE-2015-1283 - Multiple integer overflows in the XML_GetBuffer function. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/expat')
-rw-r--r--package/expat/0001-fix-CVE-2015-1283.patch76
1 files changed, 76 insertions, 0 deletions
diff --git a/package/expat/0001-fix-CVE-2015-1283.patch b/package/expat/0001-fix-CVE-2015-1283.patch
new file mode 100644
index 0000000000..cdebaa0fd7
--- /dev/null
+++ b/package/expat/0001-fix-CVE-2015-1283.patch
@@ -0,0 +1,76 @@
+
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1648,29 +1648,40 @@ XML_ParseBuffer(XML_Parser parser, int l
+ XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
+ positionPtr = bufferPtr;
+ return result;
+ }
+
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+ return NULL;
+ case XML_FINISHED:
+ errorCode = XML_ERROR_FINISHED;
+ return NULL;
+ default: ;
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+ if (keep > XML_CONTEXT_BYTES)
+ keep = XML_CONTEXT_BYTES;
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+ if (neededSize <= bufferLim - buffer) {
+@@ -1689,17 +1700,25 @@ XML_GetBuffer(XML_Parser parser, int len
+ }
+ else {
+ char *newBuf;
+ int bufferSize = (int)(bufferLim - bufferPtr);
+ if (bufferSize == 0)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+ bufferLim = newBuf + bufferSize;
+ #ifdef XML_CONTEXT_BYTES
+ if (bufferPtr) {
+