diff options
| author | Xin LI <delphij@FreeBSD.org> | 2015-08-18 19:30:35 +0000 |
|---|---|---|
| committer | Xin LI <delphij@FreeBSD.org> | 2015-08-18 19:30:35 +0000 |
| commit | 85d704f8b6f27204b662eb54da2490c7495b441d (patch) | |
| tree | 281ab7744ec937132b7855029f2030a96fc6368e | |
| parent | 4ca6726079235a9db843a8a68e1da516d0960102 (diff) | |
| download | src-85d704f8b6f27204b662eb54da2490c7495b441d.tar.gz src-85d704f8b6f27204b662eb54da2490c7495b441d.zip | |
Fix multiple integer overflows in expat.
Security: CVE-2015-1283
Security: FreeBSD-SA-15:20.expat
Approved by: so
Notes
Notes:
svn path=/releng/9.3/; revision=286902
| -rw-r--r-- | UPDATING | 5 | ||||
| -rw-r--r-- | contrib/expat/lib/xmlparse.c | 23 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 |
3 files changed, 27 insertions, 3 deletions
@@ -11,6 +11,11 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20150818: p23 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p22 FreeBSD-SA-15:19.routed Fix routed remote denial of service vulnerability. diff --git a/contrib/expat/lib/xmlparse.c b/contrib/expat/lib/xmlparse.c index f35aa36ba8a7..ede7b5bb6673 100644 --- a/contrib/expat/lib/xmlparse.c +++ b/contrib/expat/lib/xmlparse.c @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len) } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len) bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 97f3fe8d0d24..f5c1e4f8d64b 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p22" +BRANCH="RELEASE-p23" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi |