summaryrefslogtreecommitdiff
path: root/meta/recipes-core/expat/expat-2.1.0
diff options
context:
space:
mode:
authorZhixiong Chi <Zhixiong.Chi@windriver.com>2015-12-24 17:29:59 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-07 13:40:03 +0000
commitc89c5383e304a52b604a3672ac93fd88b5eb8b41 (patch)
tree24b875b2723ec1e79fcc4198513dcb522e7fa1f1 /meta/recipes-core/expat/expat-2.1.0
parenta71bfa1e75f7b963a91ee03db169af60372987f3 (diff)
downloadopenembedded-core-c89c5383e304a52b604a3672ac93fd88b5eb8b41.tar.gz
openembedded-core-c89c5383e304a52b604a3672ac93fd88b5eb8b41.tar.bz2
openembedded-core-c89c5383e304a52b604a3672ac93fd88b5eb8b41.zip
expat: CVE-2015-1283
Add CVE-2015-1283 patch for fixing integer overflow bug in expat. Details are at below link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283 Patch comes from: https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c https://codereview.chromium.org/1224303003 Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-core/expat/expat-2.1.0')
-rw-r--r--meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch62
1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
new file mode 100644
index 0000000000..1d0acb6b91
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
@@ -0,0 +1,62 @@
+Multiple integer overflows in the XML_GetBuffer function in Expat
+through 2.1.0, allow remote attackers to cause a denial of service
+(heap-based buffer overflow) or possibly have unspecified other
+impact via crafted XML data.
+
+CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+
+CVE: CVE-2015-1283
+Upstream-Status: Backport
+
+Signed-off-by: Eric Rahm <erahm@mozilla.com>
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
+
+Index: expat-2.1.0/lib/xmlparse.c
+===================================================================
+--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
++++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
+@@ -1678,6 +1678,12 @@
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+@@ -1689,8 +1695,13 @@
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+@@ -1719,7 +1730,15 @@
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;