mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-12-04 18:59:37 +00:00
Fix multiple integer overflows in expat.
Security: CVE-2015-1283 Security: FreeBSD-SA-15:20.expat
This commit is contained in:
parent
8247063134
commit
eb54d706e4
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/stable/10/; revision=286900
@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
|
||||
void * XMLCALL
|
||||
XML_GetBuffer(XML_Parser parser, int len)
|
||||
{
|
||||
/* BEGIN MOZILLA CHANGE (sanity check len) */
|
||||
if (len < 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
/* END MOZILLA CHANGE */
|
||||
switch (ps_parsing) {
|
||||
case XML_SUSPENDED:
|
||||
errorCode = XML_ERROR_SUSPENDED;
|
||||
@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len)
|
||||
}
|
||||
|
||||
if (len > bufferLim - bufferEnd) {
|
||||
/* FIXME avoid integer overflow */
|
||||
int neededSize = len + (int)(bufferEnd - bufferPtr);
|
||||
/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
|
||||
if (neededSize < 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
/* END MOZILLA CHANGE */
|
||||
#ifdef XML_CONTEXT_BYTES
|
||||
int keep = (int)(bufferPtr - buffer);
|
||||
|
||||
@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len)
|
||||
bufferSize = INIT_BUFFER_SIZE;
|
||||
do {
|
||||
bufferSize *= 2;
|
||||
} while (bufferSize < neededSize);
|
||||
/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
|
||||
} while (bufferSize < neededSize && bufferSize > 0);
|
||||
/* END MOZILLA CHANGE */
|
||||
/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
|
||||
if (bufferSize <= 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
/* END MOZILLA CHANGE */
|
||||
newBuf = (char *)MALLOC(bufferSize);
|
||||
if (newBuf == 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
|
Loading…
Reference in New Issue
Block a user