| Multiple integer overflows in the XML_GetBuffer function in Expat |
| through 2.1.0, allow remote attackers to cause a denial of service |
| (heap-based buffer overflow) or possibly have unspecified other |
| impact via crafted XML data. |
| |
| CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| |
| CVE: CVE-2015-1283 |
| Upstream-Status: Backport |
| |
| Signed-off-by: Eric Rahm <erahm@mozilla.com> |
| Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com> |
| |
| Index: expat-2.1.0/lib/xmlparse.c |
| =================================================================== |
| --- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800 |
| +++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800 |
| @@ -1678,6 +1678,12 @@ |
| void * XMLCALL |
| XML_GetBuffer(XML_Parser parser, int len) |
| { |
| +/* BEGIN MOZILLA CHANGE (sanity check len) */ |
| + if (len < 0) { |
| + errorCode = XML_ERROR_NO_MEMORY; |
| + return NULL; |
| + } |
| +/* END MOZILLA CHANGE */ |
| switch (ps_parsing) { |
| case XML_SUSPENDED: |
| errorCode = XML_ERROR_SUSPENDED; |
| @@ -1689,8 +1695,13 @@ |
| } |
| |
| if (len > bufferLim - bufferEnd) { |
| - /* FIXME avoid integer overflow */ |
| int neededSize = len + (int)(bufferEnd - bufferPtr); |
| +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ |
| + if (neededSize < 0) { |
| + errorCode = XML_ERROR_NO_MEMORY; |
| + return NULL; |
| + } |
| +/* END MOZILLA CHANGE */ |
| #ifdef XML_CONTEXT_BYTES |
| int keep = (int)(bufferPtr - buffer); |
| |
| @@ -1719,7 +1730,15 @@ |
| bufferSize = INIT_BUFFER_SIZE; |
| do { |
| bufferSize *= 2; |
| - } while (bufferSize < neededSize); |
| +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ |
| + } while (bufferSize < neededSize && bufferSize > 0); |
| +/* END MOZILLA CHANGE */ |
| +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ |
| + if (bufferSize <= 0) { |
| + errorCode = XML_ERROR_NO_MEMORY; |
| + return NULL; |
| + } |
| +/* END MOZILLA CHANGE */ |
| newBuf = (char *)MALLOC(bufferSize); |
| if (newBuf == 0) { |
| errorCode = XML_ERROR_NO_MEMORY; |