[Midnightbsd-cvs] src [7262] trunk: Fix a security vulnerability with expat.

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Aug 18 16:53:32 EDT 2015 

Revision: 7262
          http://svnweb.midnightbsd.org/src/?rev=7262
Author:   laffer1
Date:     2015-08-18 16:53:31 -0400 (Tue, 18 Aug 2015)
Log Message:
-----------
Fix a security vulnerability with expat.

Modified Paths:
--------------
    trunk/UPDATING
    trunk/contrib/expat/lib/xmlparse.c

Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING	2015-08-16 17:20:47 UTC (rev 7261)
+++ trunk/UPDATING	2015-08-18 20:53:31 UTC (rev 7262)
@@ -1,5 +1,11 @@
 Updating Information for MidnightBSD users.
 
+20160818:
+	expat security fix
+
+	Multiple integer overflows have been discovered in the XML_GetBuffer()
+	function in the expat library.
+
 20160815:
 	libc changes:
 	setmode(3) now returns errno consistently on error.

Modified: trunk/contrib/expat/lib/xmlparse.c
===================================================================
--- trunk/contrib/expat/lib/xmlparse.c	2015-08-16 17:20:47 UTC (rev 7261)
+++ trunk/contrib/expat/lib/xmlparse.c	2015-08-18 20:53:31 UTC (rev 7262)
@@ -1600,6 +1600,12 @@
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
+/* END MOZILLA CHANGE */
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;
@@ -1611,8 +1617,13 @@
   }
 
   if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
     int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+/* END MOZILLA CHANGE */
 #ifdef XML_CONTEXT_BYTES
     int keep = (int)(bufferPtr - buffer);
 
@@ -1641,7 +1652,15 @@
         bufferSize = INIT_BUFFER_SIZE;
       do {
         bufferSize *= 2;
-      } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+      } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
+/* END MOZILLA CHANGE */
       newBuf = (char *)MALLOC(bufferSize);
       if (newBuf == 0) {
         errorCode = XML_ERROR_NO_MEMORY;

More information about the Midnightbsd-cvs mailing list