Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
expat.22461
expat-2.1.0-heap_buffer_overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File expat-2.1.0-heap_buffer_overflow.patch of Package expat.22461
From ba0f9c3b40c264b8dd392e02a7a060a8fa54f032 Mon Sep 17 00:00:00 2001 From: Eric Rahm <erahm@mozilla.com> Date: Wed, 2 Mar 2016 13:31:21 +0100 Subject: [PATCH] CVE-2015-1283 Sanity check size calculations. r=peterv, a=abillings https://sourceforge.net/p/expat/bugs/528/ --- From f0bec73b018caa07d3e75ec8dd967f3785d71bde Mon Sep 17 00:00:00 2001 From: Pascal Cuoq <cuoq@trust-in-soft.com> Date: Sun, 15 May 2016 09:05:46 +0200 Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It does not really work: https://godbolt.org/g/Zl8gdF --- Index: expat-2.1.0/lib/xmlparse.c =================================================================== --- expat-2.1.0.orig/lib/xmlparse.c +++ expat-2.1.0/lib/xmlparse.c @@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1693,12 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ - int neededSize = len + (int)(bufferEnd - bufferPtr); + /* Do not invoke signed arithmetic overflow: */ + int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1718,8 +1726,13 @@ XML_GetBuffer(XML_Parser parser, int len if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { - bufferSize *= 2; - } while (bufferSize < neededSize); + /* Do not invoke signed arithmetic overflow: */ + bufferSize = (int) (2U * (unsigned) bufferSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor