diff options
| author | 宋文武 <iyzsong@gmail.com> | 2015-05-23 09:43:12 +0800 |
|---|---|---|
| committer | 宋文武 <iyzsong@gmail.com> | 2015-05-23 09:43:12 +0800 |
| commit | 86a81222cad9841c67e9d9bcd46c567383e9a34f (patch) | |
| tree | d976896cba87c5de65d8fdc4bf0be85880c04153 /gnu/packages/patches/icecat-CVE-2015-2716.patch | |
| parent | 3e3d47fc5347a5032fd2039831be1dc1d80576ed (diff) | |
| parent | 8605321dd6f3c42590046be9d69112a8c8cf7cbf (diff) | |
| download | guix-86a81222cad9841c67e9d9bcd46c567383e9a34f.tar.gz | |
Merge branch 'master' into gtk-rebuild
Conflicts: gnu/packages/gtk.scm
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2716.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2716.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2716.patch b/gnu/packages/patches/icecat-CVE-2015-2716.patch new file mode 100644 index 0000000000..ce036a0921 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2716.patch @@ -0,0 +1,62 @@ +From 9dcb4563847cb6e2a8112dca03d2684907f96313 Mon Sep 17 00:00:00 2001 +From: Eric Rahm <erahm@mozilla.com> +Date: Fri, 10 Apr 2015 15:50:23 -0700 +Subject: [PATCH] Bug 1140537 - Sanity check size calculations. r=peterv, + a=abillings + +--- + parser/expat/lib/xmlparse.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c +index 70acf1a..436b735 100644 +--- a/parser/expat/lib/xmlparse.c ++++ b/parser/expat/lib/xmlparse.c +@@ -1651,6 +1651,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) + void * XMLCALL + XML_GetBuffer(XML_Parser parser, int len) + { ++/* BEGIN MOZILLA CHANGE (sanity check len) */ ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + switch (ps_parsing) { + case XML_SUSPENDED: + errorCode = XML_ERROR_SUSPENDED; +@@ -1662,8 +1668,13 @@ XML_GetBuffer(XML_Parser parser, int len) + } + + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ + int neededSize = len + (int)(bufferEnd - bufferPtr); ++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + #ifdef XML_CONTEXT_BYTES + int keep = (int)(bufferPtr - buffer); + +@@ -1692,7 +1703,15 @@ XML_GetBuffer(XML_Parser parser, int len) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ ++ } while (bufferSize < neededSize && bufferSize > 0); ++/* END MOZILLA CHANGE */ ++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + newBuf = (char *)MALLOC(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; +-- +2.2.1 + |