summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorZhixiong Chi <Zhixiong.Chi@windriver.com>2015-12-24 17:29:59 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-07 13:40:16 +0000
commit30c06a412e3a85eb2770f6aeb6f9b3ce632ca19d (patch)
tree7f3964a47be8eb5e5edcc503b6a7d50e933717a7 /meta/recipes-core
parent315bdc80b0b97836715efae2c158f74783159bf3 (diff)
downloadpoky-30c06a412e3a85eb2770f6aeb6f9b3ce632ca19d.tar.gz
expat: CVE-2015-1283
Add CVE-2015-1283 patch for fixing integer overflow bug in expat. Details are at below link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283 Patch comes from: https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c https://codereview.chromium.org/1224303003 (From OE-Core rev: c89c5383e304a52b604a3672ac93fd88b5eb8b41) Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch62
-rw-r--r--meta/recipes-core/expat/expat.inc4
2 files changed, 65 insertions, 1 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
new file mode 100644
index 0000000000..1d0acb6b91
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
@@ -0,0 +1,62 @@
1Multiple integer overflows in the XML_GetBuffer function in Expat
2through 2.1.0, allow remote attackers to cause a denial of service
3(heap-based buffer overflow) or possibly have unspecified other
4impact via crafted XML data.
5
6CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
7
8CVE: CVE-2015-1283
9Upstream-Status: Backport
10
11Signed-off-by: Eric Rahm <erahm@mozilla.com>
12Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
13
14Index: expat-2.1.0/lib/xmlparse.c
15===================================================================
16--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
17+++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
18@@ -1678,6 +1678,12 @@
19 void * XMLCALL
20 XML_GetBuffer(XML_Parser parser, int len)
21 {
22+/* BEGIN MOZILLA CHANGE (sanity check len) */
23+ if (len < 0) {
24+ errorCode = XML_ERROR_NO_MEMORY;
25+ return NULL;
26+ }
27+/* END MOZILLA CHANGE */
28 switch (ps_parsing) {
29 case XML_SUSPENDED:
30 errorCode = XML_ERROR_SUSPENDED;
31@@ -1689,8 +1695,13 @@
32 }
33
34 if (len > bufferLim - bufferEnd) {
35- /* FIXME avoid integer overflow */
36 int neededSize = len + (int)(bufferEnd - bufferPtr);
37+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
38+ if (neededSize < 0) {
39+ errorCode = XML_ERROR_NO_MEMORY;
40+ return NULL;
41+ }
42+/* END MOZILLA CHANGE */
43 #ifdef XML_CONTEXT_BYTES
44 int keep = (int)(bufferPtr - buffer);
45
46@@ -1719,7 +1730,15 @@
47 bufferSize = INIT_BUFFER_SIZE;
48 do {
49 bufferSize *= 2;
50- } while (bufferSize < neededSize);
51+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
52+ } while (bufferSize < neededSize && bufferSize > 0);
53+/* END MOZILLA CHANGE */
54+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
55+ if (bufferSize <= 0) {
56+ errorCode = XML_ERROR_NO_MEMORY;
57+ return NULL;
58+ }
59+/* END MOZILLA CHANGE */
60 newBuf = (char *)MALLOC(bufferSize);
61 if (newBuf == 0) {
62 errorCode = XML_ERROR_NO_MEMORY;
diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc
index 6dfafe94d2..4bd60a2a6d 100644
--- a/meta/recipes-core/expat/expat.inc
+++ b/meta/recipes-core/expat/expat.inc
@@ -5,7 +5,9 @@ SECTION = "libs"
5LICENSE = "MIT" 5LICENSE = "MIT"
6 6
7SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \ 7SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \
8 file://autotools.patch" 8 file://autotools.patch \
9 file://expat-CVE-2015-1283.patch \
10 "
9 11
10inherit autotools lib_package gzipnative 12inherit autotools lib_package gzipnative
11 13