blob: 1d0acb6b91b0be0d1483d41144139fbf1e1729d5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
Multiple integer overflows in the XML_GetBuffer function in Expat
through 2.1.0, allow remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other
impact via crafted XML data.
CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE: CVE-2015-1283
Upstream-Status: Backport
Signed-off-by: Eric Rahm <erahm@mozilla.com>
Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
Index: expat-2.1.0/lib/xmlparse.c
===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
+++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
@@ -1678,6 +1678,12 @@
void * XMLCALL
XML_GetBuffer(XML_Parser parser, int len)
{
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+ if (len < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+/* END MOZILLA CHANGE */
switch (ps_parsing) {
case XML_SUSPENDED:
errorCode = XML_ERROR_SUSPENDED;
@@ -1689,8 +1695,13 @@
}
if (len > bufferLim - bufferEnd) {
- /* FIXME avoid integer overflow */
int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+ if (neededSize < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+/* END MOZILLA CHANGE */
#ifdef XML_CONTEXT_BYTES
int keep = (int)(bufferPtr - buffer);
@@ -1719,7 +1730,15 @@
bufferSize = INIT_BUFFER_SIZE;
do {
bufferSize *= 2;
- } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+ } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+ if (bufferSize <= 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+/* END MOZILLA CHANGE */
newBuf = (char *)MALLOC(bufferSize);
if (newBuf == 0) {
errorCode = XML_ERROR_NO_MEMORY;
|