diff options
| author | tnn <tnn@pkgsrc.org> | 2015-08-04 08:47:19 +0000 |
|---|---|---|
| committer | tnn <tnn@pkgsrc.org> | 2015-08-04 08:47:19 +0000 |
| commit | 762ba2418d7fa8c3244e9d4b68f75bf89431ff6d (patch) | |
| tree | c699b137bdd507679d05fc9cdc94f1f9895f80a4 | |
| parent | a1438b4dc9dc960d3ecbb887c59eee0e0f096186 (diff) | |
| download | pkgsrc-762ba2418d7fa8c3244e9d4b68f75bf89431ff6d.tar.gz | |
CVE-2015-1283 heap based buffer overflow in expat.
Patch via Debian bug#793484 and Mozilla. Bump.
| -rw-r--r-- | textproc/expat/Makefile | 3 | ||||
| -rw-r--r-- | textproc/expat/distinfo | 3 | ||||
| -rw-r--r-- | textproc/expat/patches/patch-xmlparse.c | 78 |
3 files changed, 82 insertions, 2 deletions
diff --git a/textproc/expat/Makefile b/textproc/expat/Makefile index 8e4e7d1ad9d..1fcf69f2408 100644 --- a/textproc/expat/Makefile +++ b/textproc/expat/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.28 2014/10/09 14:07:01 wiz Exp $ +# $NetBSD: Makefile,v 1.29 2015/08/04 08:47:19 tnn Exp $ # DISTNAME= expat-2.1.0 +PKGREVISION= 1 CATEGORIES= textproc MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=expat/} diff --git a/textproc/expat/distinfo b/textproc/expat/distinfo index 7da9a0e4da4..c122c65c7a1 100644 --- a/textproc/expat/distinfo +++ b/textproc/expat/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.20 2012/04/01 08:52:43 obache Exp $ +$NetBSD: distinfo,v 1.21 2015/08/04 08:47:19 tnn Exp $ SHA1 (expat-2.1.0.tar.gz) = b08197d146930a5543a7b99e871cba3da614f6f0 RMD160 (expat-2.1.0.tar.gz) = bffca083d29fe7688f106a902ef9b909c3321c5d Size (expat-2.1.0.tar.gz) = 562616 bytes +SHA1 (patch-xmlparse.c) = e6e3697102b2f86d4a0824b1f6498e0ec435b9e4 diff --git a/textproc/expat/patches/patch-xmlparse.c b/textproc/expat/patches/patch-xmlparse.c new file mode 100644 index 00000000000..b89c9d7ccf2 --- /dev/null +++ b/textproc/expat/patches/patch-xmlparse.c @@ -0,0 +1,78 @@ +$NetBSD: patch-xmlparse.c,v 1.1 2015/08/04 08:47:19 tnn Exp $ + +CVE-2015-1283 heap based buffer overflow in expat. + +https://hg.mozilla.org/releases/mozilla-esr31/raw-diff/2f3e78643f5c/parser/expat/lib/xmlparse.c + +diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c +--- lib/xmlparse.c ++++ lib/xmlparse.c +@@ -1646,29 +1646,40 @@ XML_ParseBuffer(XML_Parser parser, int l + XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); + positionPtr = bufferPtr; + return result; + } + + void * XMLCALL + XML_GetBuffer(XML_Parser parser, int len) + { ++/* BEGIN MOZILLA CHANGE (sanity check len) */ ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + switch (ps_parsing) { + case XML_SUSPENDED: + errorCode = XML_ERROR_SUSPENDED; + return NULL; + case XML_FINISHED: + errorCode = XML_ERROR_FINISHED; + return NULL; + default: ; + } + + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ + int neededSize = len + (int)(bufferEnd - bufferPtr); ++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + #ifdef XML_CONTEXT_BYTES + int keep = (int)(bufferPtr - buffer); + + if (keep > XML_CONTEXT_BYTES) + keep = XML_CONTEXT_BYTES; + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ + if (neededSize <= bufferLim - buffer) { +@@ -1687,17 +1698,25 @@ XML_GetBuffer(XML_Parser parser, int len + } + else { + char *newBuf; + int bufferSize = (int)(bufferLim - bufferPtr); + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ ++ } while (bufferSize < neededSize && bufferSize > 0); ++/* END MOZILLA CHANGE */ ++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + newBuf = (char *)MALLOC(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } + bufferLim = newBuf + bufferSize; + #ifdef XML_CONTEXT_BYTES + if (bufferPtr) { |