From 37f590756a23e167808f76f1389c36f0a2d39f11 Mon Sep 17 00:00:00 2001 From: Raphaƫl Hertzog Date: Tue, 25 Aug 2015 22:30:28 +0200 Subject: Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring CVE-2014-3660 is fixed too. --- .../0048-Possible-overflow-in-HTMLParser.c.patch | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch (limited to 'debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch') diff --git a/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch b/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch new file mode 100644 index 0000000..8d0dcc8 --- /dev/null +++ b/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch @@ -0,0 +1,38 @@ +From: Daniel Veillard +Date: Mon, 6 Oct 2014 18:51:04 +0800 +Subject: Possible overflow in HTMLParser.c + +For https://bugzilla.gnome.org/show_bug.cgi?id=720615 + +make sure that the encoding string passed is of reasonable size +--- + HTMLparser.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 4c51cc5..8d34fd1 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6288,12 +6288,16 @@ htmlCreateFileParserCtxt(const char *filename, const char *encoding) + + /* set encoding */ + if (encoding) { +- content = xmlMallocAtomic (xmlStrlen(content_line) + strlen(encoding) + 1); +- if (content) { +- strcpy ((char *)content, (char *)content_line); +- strcat ((char *)content, (char *)encoding); +- htmlCheckEncoding (ctxt, content); +- xmlFree (content); ++ size_t l = strlen(encoding); ++ ++ if (l < 1000) { ++ content = xmlMallocAtomic (xmlStrlen(content_line) + l + 1); ++ if (content) { ++ strcpy ((char *)content, (char *)content_line); ++ strcat ((char *)content, (char *)encoding); ++ htmlCheckEncoding (ctxt, content); ++ xmlFree (content); ++ } + } + } + -- cgit v1.2.3