1 files changed, 0 insertions, 62 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
deleted file mode 100644
index 1d0acb6b91..0000000000
--- a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-Multiple integer overflows in the XML_GetBuffer function in Expat 
-through 2.1.0, allow remote attackers to cause a denial of service 
-(heap-based buffer overflow) or possibly have unspecified other 
-impact via crafted XML data.
-CVSSv2:  (AV:N/AC:M/Au:N/C:P/I:P/A:P)
-CVE: CVE-2015-1283
-Upstream-Status: Backport
-Signed-off-by: Eric Rahm <erahm@mozilla.com>
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
-Index: expat-2.1.0/lib/xmlparse.c
-===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c     2012-03-11 13:13:12.000000000 +0800
-+++ expat-2.1.0/lib/xmlparse.c  2015-12-23 10:29:07.347361329 +0800
-@@ -1678,6 +1678,12 @@
- void * XMLCALL
- XML_GetBuffer(XML_Parser parser, int len)
- {
-+/* BEGIN MOZILLA CHANGE (sanity check len) */
-+  if (len < 0) {
-+    errorCode = XML_ERROR_NO_MEMORY;
-+    return NULL;
-+  }
-+/* END MOZILLA CHANGE */
-   switch (ps_parsing) {
-   case XML_SUSPENDED:
-     errorCode = XML_ERROR_SUSPENDED;
-@@ -1689,8 +1695,13 @@
-   }
- 
-   if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
-     int neededSize = len + (int)(bufferEnd - bufferPtr);
-+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
-+    if (neededSize < 0) {
-+      errorCode = XML_ERROR_NO_MEMORY;
-+      return NULL;
-+    }
-+/* END MOZILLA CHANGE */
- #ifdef XML_CONTEXT_BYTES
-     int keep = (int)(bufferPtr - buffer);
- 
-@@ -1719,7 +1730,15 @@
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
-         bufferSize *= 2;
-      } while (bufferSize < neededSize);
-+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
-+      } while (bufferSize < neededSize && bufferSize > 0);
-+/* END MOZILLA CHANGE */
-+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
-+      if (bufferSize <= 0) {
-+        errorCode = XML_ERROR_NO_MEMORY;
-+        return NULL;
-+      }
-+/* END MOZILLA CHANGE */
-       newBuf = (char *)MALLOC(bufferSize);
-       if (newBuf == 0) {
-         errorCode = XML_ERROR_NO_MEMORY;

diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch deleted file mode 100644 index 1d0acb6b91..0000000000 --- a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch +++ /dev/null
@@ -1,62 +0,0 @@
1	Multiple integer overflows in the XML_GetBuffer function in Expat
2	through 2.1.0, allow remote attackers to cause a denial of service
3	(heap-based buffer overflow) or possibly have unspecified other
4	impact via crafted XML data.
5
6	CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
7
8	CVE: CVE-2015-1283
9	Upstream-Status: Backport
10
11	Signed-off-by: Eric Rahm <erahm@mozilla.com>
12	Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
13
14	Index: expat-2.1.0/lib/xmlparse.c
15	===================================================================
16	--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
17	+++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
18	@@ -1678,6 +1678,12 @@
19	void * XMLCALL
20	XML_GetBuffer(XML_Parser parser, int len)
21	{
22	+/* BEGIN MOZILLA CHANGE (sanity check len) */
23	+ if (len < 0) {
24	+ errorCode = XML_ERROR_NO_MEMORY;
25	+ return NULL;
26	+ }
27	+/* END MOZILLA CHANGE */
28	switch (ps_parsing) {
29	case XML_SUSPENDED:
30	errorCode = XML_ERROR_SUSPENDED;
31	@@ -1689,8 +1695,13 @@
32	}
33
34	if (len > bufferLim - bufferEnd) {
35	- /* FIXME avoid integer overflow */
36	int neededSize = len + (int)(bufferEnd - bufferPtr);
37	+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
38	+ if (neededSize < 0) {
39	+ errorCode = XML_ERROR_NO_MEMORY;
40	+ return NULL;
41	+ }
42	+/* END MOZILLA CHANGE */
43	#ifdef XML_CONTEXT_BYTES
44	int keep = (int)(bufferPtr - buffer);
45
46	@@ -1719,7 +1730,15 @@
47	bufferSize = INIT_BUFFER_SIZE;
48	do {
49	bufferSize *= 2;
50	- } while (bufferSize < neededSize);
51	+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
52	+ } while (bufferSize < neededSize && bufferSize > 0);
53	+/* END MOZILLA CHANGE */
54	+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
55	+ if (bufferSize <= 0) {
56	+ errorCode = XML_ERROR_NO_MEMORY;
57	+ return NULL;
58	+ }
59	+/* END MOZILLA CHANGE */
60	newBuf = (char *)MALLOC(bufferSize);
61	if (newBuf == 0) {
62	errorCode = XML_ERROR_NO_MEMORY;