summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch')
-rw-r--r--meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch92
1 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 0000000000..21da0c03b5
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
1Upstream-Status: backport
2yanjun.zhu <yanjun.zhu@windriver.com>
3--- a/nss/lib/util/secport.c
4+++ b/nss/lib/util/secport.c
5@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
6 PORTCharConversionFunc ucs2Utf8ConvertFunc;
7 PORTCharConversionWSwapFunc ucs2AsciiConvertFunc;
8
9+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
10+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
11+ * unsigned long size to these functions, we need to ensure it is <= half of
12+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
13+ */
14+#define MAX_SIZE (PR_UINT32_MAX >> 1)
15+
16 void *
17 PORT_Alloc(size_t bytes)
18 {
19- void *rv;
20+ void *rv = NULL;
21
22- /* Always allocate a non-zero amount of bytes */
23- rv = (void *)PR_Malloc(bytes ? bytes : 1);
24+ if (bytes <= MAX_SIZE) {
25+ /* Always allocate a non-zero amount of bytes */
26+ rv = PR_Malloc(bytes ? bytes : 1);
27+ }
28 if (!rv) {
29 ++port_allocFailures;
30 PORT_SetError(SEC_ERROR_NO_MEMORY);
31@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
32 void *
33 PORT_Realloc(void *oldptr, size_t bytes)
34 {
35- void *rv;
36+ void *rv = NULL;
37
38- rv = (void *)PR_Realloc(oldptr, bytes);
39+ if (bytes <= MAX_SIZE) {
40+ rv = PR_Realloc(oldptr, bytes);
41+ }
42 if (!rv) {
43 ++port_allocFailures;
44 PORT_SetError(SEC_ERROR_NO_MEMORY);
45@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
46 void *
47 PORT_ZAlloc(size_t bytes)
48 {
49- void *rv;
50+ void *rv = NULL;
51
52- /* Always allocate a non-zero amount of bytes */
53- rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
54+ if (bytes <= MAX_SIZE) {
55+ /* Always allocate a non-zero amount of bytes */
56+ rv = PR_Calloc(1, bytes ? bytes : 1);
57+ }
58 if (!rv) {
59 ++port_allocFailures;
60 PORT_SetError(SEC_ERROR_NO_MEMORY);
61@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
62 {
63 PORTArenaPool *pool;
64
65+ if (chunksize > MAX_SIZE) {
66+ PORT_SetError(SEC_ERROR_NO_MEMORY);
67+ return NULL;
68+ }
69 pool = PORT_ZNew(PORTArenaPool);
70 if (!pool) {
71 return NULL;
72@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
73 return(&pool->arena);
74 }
75
76-#define MAX_SIZE 0x7fffffffUL
77-
78 void *
79 PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
80 {
81@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void
82 PORTArenaPool *pool = (PORTArenaPool *)arena;
83 PORT_Assert(newsize >= oldsize);
84
85+ if (newsize > MAX_SIZE) {
86+ PORT_SetError(SEC_ERROR_NO_MEMORY);
87+ return NULL;
88+ }
89+
90 if (ARENAPOOL_MAGIC == pool->magic ) {
91 PZ_Lock(pool->lock);
92 /* Do we do a THREADMARK check here? */