import-layers/yocto-poky/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch - openbmc/openbmc - Gitiles

 Multiple integer overflows in the XML_GetBuffer function in Expat
 through 2.1.0, allow remote attackers to cause a denial of service
 (heap-based buffer overflow) or possibly have unspecified other
 impact via crafted XML data.

 CVSSv2:  (AV:N/AC:M/Au:N/C:P/I:P/A:P)

 CVE: CVE-2015-1283
 Upstream-Status: Backport

 Signed-off-by: Eric Rahm <erahm@mozilla.com>
 Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>

 Index: expat-2.1.0/lib/xmlparse.c
 ===================================================================
 --- expat-2.1.0.orig/lib/xmlparse.c	2012-03-11 13:13:12.000000000 +0800
 +++ expat-2.1.0/lib/xmlparse.c	2015-12-23 10:29:07.347361329 +0800
 @@ -1678,6 +1678,12 @@
  void * XMLCALL
  XML_GetBuffer(XML_Parser parser, int len)
  {
 +/* BEGIN MOZILLA CHANGE (sanity check len) */
 +  if (len < 0) {
 +    errorCode = XML_ERROR_NO_MEMORY;
 +    return NULL;
 +  }
 +/* END MOZILLA CHANGE */
    switch (ps_parsing) {
    case XML_SUSPENDED:
      errorCode = XML_ERROR_SUSPENDED;
 @@ -1689,8 +1695,13 @@
    }

    if (len > bufferLim - bufferEnd) {
 -    /* FIXME avoid integer overflow */
      int neededSize = len + (int)(bufferEnd - bufferPtr);
 +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
 +    if (neededSize < 0) {
 +      errorCode = XML_ERROR_NO_MEMORY;
 +      return NULL;
 +    }
 +/* END MOZILLA CHANGE */
  #ifdef XML_CONTEXT_BYTES
      int keep = (int)(bufferPtr - buffer);

 @@ -1719,7 +1730,15 @@
          bufferSize = INIT_BUFFER_SIZE;
        do {
          bufferSize *= 2;
 -      } while (bufferSize < neededSize);
 +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
 +      } while (bufferSize < neededSize && bufferSize > 0);
 +/* END MOZILLA CHANGE */
 +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
 +      if (bufferSize <= 0) {
 +        errorCode = XML_ERROR_NO_MEMORY;
 +        return NULL;
 +      }
 +/* END MOZILLA CHANGE */
        newBuf = (char *)MALLOC(bufferSize);
        if (newBuf == 0) {
          errorCode = XML_ERROR_NO_MEMORY;
	Multiple integer overflows in the XML_GetBuffer function in Expat
	through 2.1.0, allow remote attackers to cause a denial of service
	(heap-based buffer overflow) or possibly have unspecified other
	impact via crafted XML data.

	CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

	CVE: CVE-2015-1283
	Upstream-Status: Backport

	Signed-off-by: Eric Rahm <erahm@mozilla.com>
	Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>

	Index: expat-2.1.0/lib/xmlparse.c
	===================================================================
	--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
	+++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
	@@ -1678,6 +1678,12 @@
	void * XMLCALL
	XML_GetBuffer(XML_Parser parser, int len)
	{
	+/* BEGIN MOZILLA CHANGE (sanity check len) */
	+ if (len < 0) {
	+ errorCode = XML_ERROR_NO_MEMORY;
	+ return NULL;
	+ }
	+/* END MOZILLA CHANGE */
	switch (ps_parsing) {
	case XML_SUSPENDED:
	errorCode = XML_ERROR_SUSPENDED;
	@@ -1689,8 +1695,13 @@
	}

	if (len > bufferLim - bufferEnd) {
	- /* FIXME avoid integer overflow */
	int neededSize = len + (int)(bufferEnd - bufferPtr);
	+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
	+ if (neededSize < 0) {
	+ errorCode = XML_ERROR_NO_MEMORY;
	+ return NULL;
	+ }
	+/* END MOZILLA CHANGE */
	#ifdef XML_CONTEXT_BYTES
	int keep = (int)(bufferPtr - buffer);

	@@ -1719,7 +1730,15 @@
	bufferSize = INIT_BUFFER_SIZE;
	do {
	bufferSize *= 2;
	- } while (bufferSize < neededSize);
	+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
	+ } while (bufferSize < neededSize && bufferSize > 0);
	+/* END MOZILLA CHANGE */
	+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
	+ if (bufferSize <= 0) {
	+ errorCode = XML_ERROR_NO_MEMORY;
	+ return NULL;
	+ }
	+/* END MOZILLA CHANGE */
	newBuf = (char *)MALLOC(bufferSize);
	if (newBuf == 0) {
	errorCode = XML_ERROR_NO_MEMORY;