diff options
Diffstat (limited to 'recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch')
-rw-r--r-- | recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch new file mode 100644 index 0000000..e072ef1 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-5130-check-for-integer-overflow-in-memory-debug-code.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 897dffbae322b46b83f99a607d527058a72c51ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Tue, 6 Jun 2017 13:21:14 +0200 | ||
4 | Subject: [PATCH] Check for integer overflow in memory debug code | ||
5 | |||
6 | Fixes bug 783026. | ||
7 | |||
8 | Thanks to Pranjal Jumde for the report. | ||
9 | |||
10 | CVE: CVE-2017-5130 | ||
11 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/897dffbae322b46b83f99a607d527058a72c51ed] | ||
12 | |||
13 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
14 | --- | ||
15 | xmlmemory.c | 21 +++++++++++++++++++++ | ||
16 | 1 file changed, 21 insertions(+) | ||
17 | |||
18 | diff --git a/xmlmemory.c b/xmlmemory.c | ||
19 | index f08c8c3..c53141f 100644 | ||
20 | --- a/xmlmemory.c | ||
21 | +++ b/xmlmemory.c | ||
22 | @@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) | ||
23 | |||
24 | TEST_POINT | ||
25 | |||
26 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
27 | + xmlGenericError(xmlGenericErrorContext, | ||
28 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
29 | + xmlMemoryDump(); | ||
30 | + return(NULL); | ||
31 | + } | ||
32 | + | ||
33 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
34 | |||
35 | if (!p) { | ||
36 | @@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) | ||
37 | #endif | ||
38 | xmlMutexUnlock(xmlMemMutex); | ||
39 | |||
40 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
41 | + xmlGenericError(xmlGenericErrorContext, | ||
42 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
43 | + xmlMemoryDump(); | ||
44 | + return(NULL); | ||
45 | + } | ||
46 | + | ||
47 | tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); | ||
48 | if (!tmp) { | ||
49 | free(p); | ||
50 | @@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) | ||
51 | if (!xmlMemInitialized) xmlInitMemory(); | ||
52 | TEST_POINT | ||
53 | |||
54 | + if (size > (MAX_SIZE_T - RESERVE_SIZE)) { | ||
55 | + xmlGenericError(xmlGenericErrorContext, | ||
56 | + "xmlMallocLoc : Unsigned overflow\n"); | ||
57 | + xmlMemoryDump(); | ||
58 | + return(NULL); | ||
59 | + } | ||
60 | + | ||
61 | p = (MEMHDR *) malloc(RESERVE_SIZE+size); | ||
62 | if (!p) { | ||
63 | goto error; | ||
64 | -- | ||
65 | 2.7.4 | ||
66 | |||