diff options
Diffstat (limited to 'meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch')
-rw-r--r-- | meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch new file mode 100644 index 0000000000..21da0c03b5 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | Upstream-Status: backport | ||
2 | yanjun.zhu <yanjun.zhu@windriver.com> | ||
3 | --- a/nss/lib/util/secport.c | ||
4 | +++ b/nss/lib/util/secport.c | ||
5 | @@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu | ||
6 | PORTCharConversionFunc ucs2Utf8ConvertFunc; | ||
7 | PORTCharConversionWSwapFunc ucs2AsciiConvertFunc; | ||
8 | |||
9 | +/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc) | ||
10 | + * use the PRUint32 type for the size parameter. Before we pass a size_t or | ||
11 | + * unsigned long size to these functions, we need to ensure it is <= half of | ||
12 | + * the maximum PRUint32 value to avoid truncation and catch a negative size. | ||
13 | + */ | ||
14 | +#define MAX_SIZE (PR_UINT32_MAX >> 1) | ||
15 | + | ||
16 | void * | ||
17 | PORT_Alloc(size_t bytes) | ||
18 | { | ||
19 | - void *rv; | ||
20 | + void *rv = NULL; | ||
21 | |||
22 | - /* Always allocate a non-zero amount of bytes */ | ||
23 | - rv = (void *)PR_Malloc(bytes ? bytes : 1); | ||
24 | + if (bytes <= MAX_SIZE) { | ||
25 | + /* Always allocate a non-zero amount of bytes */ | ||
26 | + rv = PR_Malloc(bytes ? bytes : 1); | ||
27 | + } | ||
28 | if (!rv) { | ||
29 | ++port_allocFailures; | ||
30 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
31 | @@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes) | ||
32 | void * | ||
33 | PORT_Realloc(void *oldptr, size_t bytes) | ||
34 | { | ||
35 | - void *rv; | ||
36 | + void *rv = NULL; | ||
37 | |||
38 | - rv = (void *)PR_Realloc(oldptr, bytes); | ||
39 | + if (bytes <= MAX_SIZE) { | ||
40 | + rv = PR_Realloc(oldptr, bytes); | ||
41 | + } | ||
42 | if (!rv) { | ||
43 | ++port_allocFailures; | ||
44 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
45 | @@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes) | ||
46 | void * | ||
47 | PORT_ZAlloc(size_t bytes) | ||
48 | { | ||
49 | - void *rv; | ||
50 | + void *rv = NULL; | ||
51 | |||
52 | - /* Always allocate a non-zero amount of bytes */ | ||
53 | - rv = (void *)PR_Calloc(1, bytes ? bytes : 1); | ||
54 | + if (bytes <= MAX_SIZE) { | ||
55 | + /* Always allocate a non-zero amount of bytes */ | ||
56 | + rv = PR_Calloc(1, bytes ? bytes : 1); | ||
57 | + } | ||
58 | if (!rv) { | ||
59 | ++port_allocFailures; | ||
60 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
61 | @@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize) | ||
62 | { | ||
63 | PORTArenaPool *pool; | ||
64 | |||
65 | + if (chunksize > MAX_SIZE) { | ||
66 | + PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
67 | + return NULL; | ||
68 | + } | ||
69 | pool = PORT_ZNew(PORTArenaPool); | ||
70 | if (!pool) { | ||
71 | return NULL; | ||
72 | @@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize) | ||
73 | return(&pool->arena); | ||
74 | } | ||
75 | |||
76 | -#define MAX_SIZE 0x7fffffffUL | ||
77 | - | ||
78 | void * | ||
79 | PORT_ArenaAlloc(PLArenaPool *arena, size_t size) | ||
80 | { | ||
81 | @@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void | ||
82 | PORTArenaPool *pool = (PORTArenaPool *)arena; | ||
83 | PORT_Assert(newsize >= oldsize); | ||
84 | |||
85 | + if (newsize > MAX_SIZE) { | ||
86 | + PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
87 | + return NULL; | ||
88 | + } | ||
89 | + | ||
90 | if (ARENAPOOL_MAGIC == pool->magic ) { | ||
91 | PZ_Lock(pool->lock); | ||
92 | /* Do we do a THREADMARK check here? */ | ||