summaryrefslogtreecommitdiff
path: root/meta/recipes-core/expat
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/expat')
-rw-r--r--meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch62
-rw-r--r--meta/recipes-core/expat/expat.inc4
2 files changed, 65 insertions, 1 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
new file mode 100644
index 0000000000..1d0acb6b91
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
@@ -0,0 +1,62 @@
+Multiple integer overflows in the XML_GetBuffer function in Expat
+through 2.1.0, allow remote attackers to cause a denial of service
+(heap-based buffer overflow) or possibly have unspecified other
+impact via crafted XML data.
+
+CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+
+CVE: CVE-2015-1283
+Upstream-Status: Backport
+
+Signed-off-by: Eric Rahm <erahm@mozilla.com>
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
+
+Index: expat-2.1.0/lib/xmlparse.c
+===================================================================
+--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
++++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
+@@ -1678,6 +1678,12 @@
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++ if (len < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ switch (ps_parsing) {
+ case XML_SUSPENDED:
+ errorCode = XML_ERROR_SUSPENDED;
+@@ -1689,8 +1695,13 @@
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- /* FIXME avoid integer overflow */
+ int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++ if (neededSize < 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+ int keep = (int)(bufferPtr - buffer);
+
+@@ -1719,7 +1730,15 @@
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+ bufferSize *= 2;
+- } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++ } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++ if (bufferSize <= 0) {
++ errorCode = XML_ERROR_NO_MEMORY;
++ return NULL;
++ }
++/* END MOZILLA CHANGE */
+ newBuf = (char *)MALLOC(bufferSize);
+ if (newBuf == 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc
index 6dfafe94d2..4bd60a2a6d 100644
--- a/meta/recipes-core/expat/expat.inc
+++ b/meta/recipes-core/expat/expat.inc
@@ -5,7 +5,9 @@ SECTION = "libs"
LICENSE = "MIT"
SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \
- file://autotools.patch"
+ file://autotools.patch \
+ file://expat-CVE-2015-1283.patch \
+ "
inherit autotools lib_package gzipnative