1 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 0000000000..21da0c03b5
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
+Upstream-Status: backport
+yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/nss/lib/util/secport.c
+++ b/nss/lib/util/secport.c
+@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
+ PORTCharConversionFunc ucs2Utf8ConvertFunc;
+ PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+ 
+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
+ * unsigned long size to these functions, we need to ensure it is <= half of
+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
+ */
+#define MAX_SIZE (PR_UINT32_MAX >> 1)
+
+ void *
+ PORT_Alloc(size_t bytes)
+ {
+-    void *rv;
+    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
+    if (bytes <= MAX_SIZE) {
+       /* Always allocate a non-zero amount of bytes */
+       rv = PR_Malloc(bytes ? bytes : 1);
+    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
+ void *
+ PORT_Realloc(void *oldptr, size_t bytes)
+ {
+-    void *rv;
+    void *rv = NULL;
+ 
+-    rv = (void *)PR_Realloc(oldptr, bytes);
+    if (bytes <= MAX_SIZE) {
+       rv = PR_Realloc(oldptr, bytes);
+    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
+ void *
+ PORT_ZAlloc(size_t bytes)
+ {
+-    void *rv;
+    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
+    if (bytes <= MAX_SIZE) {
+       /* Always allocate a non-zero amount of bytes */
+       rv = PR_Calloc(1, bytes ? bytes : 1);
+    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
+ {
+     PORTArenaPool *pool;
+     
+    if (chunksize > MAX_SIZE) {
+       PORT_SetError(SEC_ERROR_NO_MEMORY);
+       return NULL;
+    }
+     pool = PORT_ZNew(PORTArenaPool);
+     if (!pool) {
+        return NULL;
+@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
+     return(&pool->arena);
+ }
+ 
+-#define MAX_SIZE 0x7fffffffUL
+-
+ void *
+ PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+ {
+@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void 
+     PORTArenaPool *pool = (PORTArenaPool *)arena;
+     PORT_Assert(newsize >= oldsize);
+     
+    if (newsize > MAX_SIZE) {
+       PORT_SetError(SEC_ERROR_NO_MEMORY);
+       return NULL;
+    }
+
+     if (ARENAPOOL_MAGIC == pool->magic ) {
+        PZ_Lock(pool->lock);
+        /* Do we do a THREADMARK check here? */

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch new file mode 100644 index 0000000000..21da0c03b5 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
	1	Upstream-Status: backport
	2	yanjun.zhu <yanjun.zhu@windriver.com>
	3	--- a/nss/lib/util/secport.c
	4	+++ b/nss/lib/util/secport.c
	5	@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
	6	PORTCharConversionFunc ucs2Utf8ConvertFunc;
	7	PORTCharConversionWSwapFunc ucs2AsciiConvertFunc;
	8
	9	+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
	10	+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
	11	+ * unsigned long size to these functions, we need to ensure it is <= half of
	12	+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
	13	+ */
	14	+#define MAX_SIZE (PR_UINT32_MAX >> 1)
	15	+
	16	void *
	17	PORT_Alloc(size_t bytes)
	18	{
	19	- void *rv;
	20	+ void *rv = NULL;
	21
	22	- /* Always allocate a non-zero amount of bytes */
	23	- rv = (void *)PR_Malloc(bytes ? bytes : 1);
	24	+ if (bytes <= MAX_SIZE) {
	25	+ /* Always allocate a non-zero amount of bytes */
	26	+ rv = PR_Malloc(bytes ? bytes : 1);
	27	+ }
	28	if (!rv) {
	29	++port_allocFailures;
	30	PORT_SetError(SEC_ERROR_NO_MEMORY);
	31	@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
	32	void *
	33	PORT_Realloc(void *oldptr, size_t bytes)
	34	{
	35	- void *rv;
	36	+ void *rv = NULL;
	37
	38	- rv = (void *)PR_Realloc(oldptr, bytes);
	39	+ if (bytes <= MAX_SIZE) {
	40	+ rv = PR_Realloc(oldptr, bytes);
	41	+ }
	42	if (!rv) {
	43	++port_allocFailures;
	44	PORT_SetError(SEC_ERROR_NO_MEMORY);
	45	@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
	46	void *
	47	PORT_ZAlloc(size_t bytes)
	48	{
	49	- void *rv;
	50	+ void *rv = NULL;
	51
	52	- /* Always allocate a non-zero amount of bytes */
	53	- rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
	54	+ if (bytes <= MAX_SIZE) {
	55	+ /* Always allocate a non-zero amount of bytes */
	56	+ rv = PR_Calloc(1, bytes ? bytes : 1);
	57	+ }
	58	if (!rv) {
	59	++port_allocFailures;
	60	PORT_SetError(SEC_ERROR_NO_MEMORY);
	61	@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
	62	{
	63	PORTArenaPool *pool;
	64
	65	+ if (chunksize > MAX_SIZE) {
	66	+ PORT_SetError(SEC_ERROR_NO_MEMORY);
	67	+ return NULL;
	68	+ }
	69	pool = PORT_ZNew(PORTArenaPool);
	70	if (!pool) {
	71	return NULL;
	72	@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
	73	return(&pool->arena);
	74	}
	75
	76	-#define MAX_SIZE 0x7fffffffUL
	77	-
	78	void *
	79	PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
	80	{
	81	@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void
	82	PORTArenaPool pool = (PORTArenaPool )arena;
	83	PORT_Assert(newsize >= oldsize);
	84
	85	+ if (newsize > MAX_SIZE) {
	86	+ PORT_SetError(SEC_ERROR_NO_MEMORY);
	87	+ return NULL;
	88	+ }
	89	+
	90	if (ARENAPOOL_MAGIC == pool->magic ) {
	91	PZ_Lock(pool->lock);
	92	/* Do we do a THREADMARK check here? */