package/expat/0001-fix-CVE-2015-1283.patch - buildroot - Git at Google


 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
 @@ -1648,29 +1648,40 @@ XML_ParseBuffer(XML_Parser parser, int l
    XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
    positionPtr = bufferPtr;
    return result;
  }

  void * XMLCALL
  XML_GetBuffer(XML_Parser parser, int len)
  {
 +/* BEGIN MOZILLA CHANGE (sanity check len) */
 +  if (len < 0) {
 +    errorCode = XML_ERROR_NO_MEMORY;
 +    return NULL;
 +  }
 +/* END MOZILLA CHANGE */
    switch (ps_parsing) {
    case XML_SUSPENDED:
      errorCode = XML_ERROR_SUSPENDED;
      return NULL;
    case XML_FINISHED:
      errorCode = XML_ERROR_FINISHED;
      return NULL;
    default: ;
    }

    if (len > bufferLim - bufferEnd) {
 -    /* FIXME avoid integer overflow */
      int neededSize = len + (int)(bufferEnd - bufferPtr);
 +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
 +    if (neededSize < 0) {
 +      errorCode = XML_ERROR_NO_MEMORY;
 +      return NULL;
 +    }
 +/* END MOZILLA CHANGE */
  #ifdef XML_CONTEXT_BYTES
      int keep = (int)(bufferPtr - buffer);

      if (keep > XML_CONTEXT_BYTES)
        keep = XML_CONTEXT_BYTES;
      neededSize += keep;
  #endif  /* defined XML_CONTEXT_BYTES */
      if (neededSize  <= bufferLim - buffer) {
 @@ -1689,17 +1700,25 @@ XML_GetBuffer(XML_Parser parser, int len
      }
      else {
        char *newBuf;
        int bufferSize = (int)(bufferLim - bufferPtr);
        if (bufferSize == 0)
          bufferSize = INIT_BUFFER_SIZE;
        do {
          bufferSize *= 2;
 -      } while (bufferSize < neededSize);
 +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
 +      } while (bufferSize < neededSize && bufferSize > 0);
 +/* END MOZILLA CHANGE */
 +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
 +      if (bufferSize <= 0) {
 +        errorCode = XML_ERROR_NO_MEMORY;
 +        return NULL;
 +      }
 +/* END MOZILLA CHANGE */
        newBuf = (char *)MALLOC(bufferSize);
        if (newBuf == 0) {
          errorCode = XML_ERROR_NO_MEMORY;
          return NULL;
        }
        bufferLim = newBuf + bufferSize;
  #ifdef XML_CONTEXT_BYTES
        if (bufferPtr) {

	Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

	diff --git a/lib/xmlparse.c b/lib/xmlparse.c
	--- a/lib/xmlparse.c
	+++ b/lib/xmlparse.c
	@@ -1648,29 +1648,40 @@ XML_ParseBuffer(XML_Parser parser, int l
	XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
	positionPtr = bufferPtr;
	return result;
	}

	void * XMLCALL
	XML_GetBuffer(XML_Parser parser, int len)
	{
	+/* BEGIN MOZILLA CHANGE (sanity check len) */
	+ if (len < 0) {
	+ errorCode = XML_ERROR_NO_MEMORY;
	+ return NULL;
	+ }
	+/* END MOZILLA CHANGE */
	switch (ps_parsing) {
	case XML_SUSPENDED:
	errorCode = XML_ERROR_SUSPENDED;
	return NULL;
	case XML_FINISHED:
	errorCode = XML_ERROR_FINISHED;
	return NULL;
	default: ;
	}

	if (len > bufferLim - bufferEnd) {
	- /* FIXME avoid integer overflow */
	int neededSize = len + (int)(bufferEnd - bufferPtr);
	+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
	+ if (neededSize < 0) {
	+ errorCode = XML_ERROR_NO_MEMORY;
	+ return NULL;
	+ }
	+/* END MOZILLA CHANGE */
	#ifdef XML_CONTEXT_BYTES
	int keep = (int)(bufferPtr - buffer);

	if (keep > XML_CONTEXT_BYTES)
	keep = XML_CONTEXT_BYTES;
	neededSize += keep;
	#endif /* defined XML_CONTEXT_BYTES */
	if (neededSize <= bufferLim - buffer) {
	@@ -1689,17 +1700,25 @@ XML_GetBuffer(XML_Parser parser, int len
	}
	else {
	char *newBuf;
	int bufferSize = (int)(bufferLim - bufferPtr);
	if (bufferSize == 0)
	bufferSize = INIT_BUFFER_SIZE;
	do {
	bufferSize *= 2;
	- } while (bufferSize < neededSize);
	+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
	+ } while (bufferSize < neededSize && bufferSize > 0);
	+/* END MOZILLA CHANGE */
	+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
	+ if (bufferSize <= 0) {
	+ errorCode = XML_ERROR_NO_MEMORY;
	+ return NULL;
	+ }
	+/* END MOZILLA CHANGE */
	newBuf = (char *)MALLOC(bufferSize);
	if (newBuf == 0) {
	errorCode = XML_ERROR_NO_MEMORY;
	return NULL;
	}
	bufferLim = newBuf + bufferSize;
	#ifdef XML_CONTEXT_BYTES
	if (bufferPtr) {