summaryrefslogtreecommitdiff
path: root/textproc/expat/patches/patch-CVE-2016-0718-1
diff options
context:
space:
mode:
Diffstat (limited to 'textproc/expat/patches/patch-CVE-2016-0718-1')
-rw-r--r--textproc/expat/patches/patch-CVE-2016-0718-1130
1 files changed, 0 insertions, 130 deletions
diff --git a/textproc/expat/patches/patch-CVE-2016-0718-1 b/textproc/expat/patches/patch-CVE-2016-0718-1
deleted file mode 100644
index 1e0cb06c26e..00000000000
--- a/textproc/expat/patches/patch-CVE-2016-0718-1
+++ /dev/null
@@ -1,130 +0,0 @@
-$NetBSD: patch-CVE-2016-0718-1,v 1.1 2016/05/17 19:15:01 drochner Exp $
-
-also fixes issues with the fix for CVE-2015-1283 (part of expat-2.1.1):
- possible undefined compiler behaviour on signed integer overflows
- (upstream commit f0bec73b018caa07d3e75ec8dd967f3785d71bde)
-
---- lib/xmlparse.c.orig 2016-03-12 03:21:09.000000000 +0000
-+++ lib/xmlparse.c
-@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len
- }
-
- if (len > bufferLim - bufferEnd) {
-- int neededSize = len + (int)(bufferEnd - bufferPtr);
-+ /* Do not invoke signed arithmetic overflow: */
-+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
- if (neededSize < 0) {
- errorCode = XML_ERROR_NO_MEMORY;
- return NULL;
-@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len
- if (bufferSize == 0)
- bufferSize = INIT_BUFFER_SIZE;
- do {
-- bufferSize *= 2;
-+ /* Do not invoke signed arithmetic overflow: */
-+ bufferSize = (int) (2U * (unsigned) bufferSize);
- } while (bufferSize < neededSize && bufferSize > 0);
- if (bufferSize <= 0) {
- errorCode = XML_ERROR_NO_MEMORY;
-@@ -2426,11 +2428,11 @@ doContent(XML_Parser parser,
- for (;;) {
- int bufSize;
- int convLen;
-- XmlConvert(enc,
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc,
- &fromPtr, rawNameEnd,
- (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
- convLen = (int)(toPtr - (XML_Char *)tag->buf);
-- if (fromPtr == rawNameEnd) {
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
- tag->name.strLen = convLen;
- break;
- }
-@@ -2651,11 +2653,11 @@ doContent(XML_Parser parser,
- if (MUST_CONVERT(enc, s)) {
- for (;;) {
- ICHAR *dataPtr = (ICHAR *)dataBuf;
-- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
- *eventEndPP = s;
- charDataHandler(handlerArg, dataBuf,
- (int)(dataPtr - (ICHAR *)dataBuf));
-- if (s == next)
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
- break;
- *eventPP = s;
- }
-@@ -3261,11 +3263,11 @@ doCdataSection(XML_Parser parser,
- if (MUST_CONVERT(enc, s)) {
- for (;;) {
- ICHAR *dataPtr = (ICHAR *)dataBuf;
-- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
- *eventEndPP = next;
- charDataHandler(handlerArg, dataBuf,
- (int)(dataPtr - (ICHAR *)dataBuf));
-- if (s == next)
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
- break;
- *eventPP = s;
- }
-@@ -5342,6 +5344,7 @@ reportDefault(XML_Parser parser, const E
- const char *s, const char *end)
- {
- if (MUST_CONVERT(enc, s)) {
-+ enum XML_Convert_Result convert_res;
- const char **eventPP;
- const char **eventEndPP;
- if (enc == encoding) {
-@@ -5354,11 +5357,11 @@ reportDefault(XML_Parser parser, const E
- }
- do {
- ICHAR *dataPtr = (ICHAR *)dataBuf;
-- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-+ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
- *eventEndPP = s;
- defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
- *eventPP = s;
-- } while (s != end);
-+ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
- }
- else
- defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
-@@ -6163,8 +6166,8 @@ poolAppend(STRING_POOL *pool, const ENCO
- if (!pool->ptr && !poolGrow(pool))
- return NULL;
- for (;;) {
-- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-- if (ptr == end)
-+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
- break;
- if (!poolGrow(pool))
- return NULL;
-@@ -6248,8 +6251,13 @@ poolGrow(STRING_POOL *pool)
- }
- }
- if (pool->blocks && pool->start == pool->blocks->s) {
-- int blockSize = (int)(pool->end - pool->start)*2;
-- BLOCK *temp = (BLOCK *)
-+ BLOCK *temp;
-+ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
-+
-+ if (blockSize < 0)
-+ return XML_FALSE;
-+
-+ temp = (BLOCK *)
- pool->mem->realloc_fcn(pool->blocks,
- (offsetof(BLOCK, s)
- + blockSize * sizeof(XML_Char)));
-@@ -6264,6 +6272,10 @@ poolGrow(STRING_POOL *pool)
- else {
- BLOCK *tem;
- int blockSize = (int)(pool->end - pool->start);
-+
-+ if (blockSize < 0)
-+ return XML_FALSE;
-+
- if (blockSize < INIT_BLOCK_SIZE)
- blockSize = INIT_BLOCK_SIZE;
- else
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-08 07:35:35 +0000