svn commit: r286900 - in stable: 10/contrib/expat/lib 9/contrib/expat/lib

Xin LI delphij at FreeBSD.org
Tue Aug 18 19:30:07 UTC 2015 

Author: delphij
Date: Tue Aug 18 19:30:05 2015
New Revision: 286900
URL: https://svnweb.freebsd.org/changeset/base/286900

Log:
  Fix multiple integer overflows in expat.
  
  Security:	CVE-2015-1283
  Security:	FreeBSD-SA-15:20.expat

Modified:
  stable/9/contrib/expat/lib/xmlparse.c

Changes in other areas also in this revision:
Modified:
  stable/10/contrib/expat/lib/xmlparse.c

Modified: stable/9/contrib/expat/lib/xmlparse.c
==============================================================================
--- stable/9/contrib/expat/lib/xmlparse.c	Tue Aug 18 19:30:04 2015	(r286899)
+++ stable/9/contrib/expat/lib/xmlparse.c	Tue Aug 18 19:30:05 2015	(r286900)
@@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
+/* END MOZILLA CHANGE */
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;
@@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len
   }
 
   if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
     int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+/* END MOZILLA CHANGE */
 #ifdef XML_CONTEXT_BYTES
     int keep = (int)(bufferPtr - buffer);
 
@@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len
         bufferSize = INIT_BUFFER_SIZE;
       do {
         bufferSize *= 2;
-      } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+      } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
+/* END MOZILLA CHANGE */
       newBuf = (char *)MALLOC(bufferSize);
       if (newBuf == 0) {
         errorCode = XML_ERROR_NO_MEMORY;

More information about the svn-src-stable-9 mailing list