Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
expat.35528
expat-2.1.0-CVE-2016-9063.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File expat-2.1.0-CVE-2016-9063.patch of Package expat.35528
From d4f735b88d9932bd5039df2335eefdd0723dbe20 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping <sebastian@pipping.org> Date: Wed, 12 Apr 2017 23:55:45 +0200 Subject: [PATCH] Detect integer overflow (CVE-2016-9063) Needs XML_CONTEXT_BYTES to be _undefined_ to trigger, default is defined and set to 1024. Previously patched downstream, e.g. https://sources.debian.net/src/expat/2.2.0-2/debian/patches/CVE-2016-9063.patch/ https://bug1274777.bmoattachments.org/attachment.cgi?id=8755538 This version avoids undefined behavior from _signed_ integer overflow. Signed-off-by: Pascal Cuoq <cuoq@trust-in-soft.com> --- expat/lib/xmlparse.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index b62d7898..a8377a88 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -1633,11 +1633,14 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) nLeftOver = s + len - end; if (nLeftOver) { if (buffer == NULL || nLeftOver > bufferLim - buffer) { - /* FIXME avoid integer overflow */ - char *temp; - temp = (buffer == NULL - ? (char *)MALLOC(len * 2) - : (char *)REALLOC(buffer, len * 2)); + /* avoid _signed_ integer overflow */ + char *temp = NULL; + const int bytesToAllocate = (int)((unsigned)len * 2U); + if (bytesToAllocate > 0) { + temp = (buffer == NULL + ? (char *)MALLOC(bytesToAllocate) + : (char *)REALLOC(buffer, bytesToAllocate)); + } if (temp == NULL) { errorCode = XML_ERROR_NO_MEMORY; eventPtr = eventEndPtr = NULL; @@ -1645,7 +1648,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) return XML_STATUS_ERROR; } buffer = temp; - bufferLim = buffer + len * 2; + bufferLim = buffer + bytesToAllocate; } memcpy(buffer, end, nLeftOver); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor