diff options
author | Mark H Weaver <mhw@netris.org> | 2015-05-12 23:18:29 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-05-13 01:32:28 -0400 |
commit | e1820d14439abedb1cb1caa5cd9f68bcfcbbd466 (patch) | |
tree | a581e61bd8087db71e75e26fd8fe09cc4ba97125 /gnu/packages/patches/icecat-CVE-2015-2716.patch | |
parent | d7cbc91d1a81c98b3167603bc1f9405f12a0d6e3 (diff) | |
download | guix-e1820d14439abedb1cb1caa5cd9f68bcfcbbd466.tar.gz |
gnu: icecat: Apply fixes for CVE-2015-{0797,2708,2710,2713,2716}.
* gnu/packages/patches/icecat-CVE-2015-0797.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt4.patch, gnu/packages/patches/icecat-CVE-2015-2710-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2710-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2710-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2713-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2716.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat): Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2716.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2716.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2716.patch b/gnu/packages/patches/icecat-CVE-2015-2716.patch new file mode 100644 index 0000000000..ce036a0921 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2716.patch @@ -0,0 +1,62 @@ +From 9dcb4563847cb6e2a8112dca03d2684907f96313 Mon Sep 17 00:00:00 2001 +From: Eric Rahm <erahm@mozilla.com> +Date: Fri, 10 Apr 2015 15:50:23 -0700 +Subject: [PATCH] Bug 1140537 - Sanity check size calculations. r=peterv, + a=abillings + +--- + parser/expat/lib/xmlparse.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c +index 70acf1a..436b735 100644 +--- a/parser/expat/lib/xmlparse.c ++++ b/parser/expat/lib/xmlparse.c +@@ -1651,6 +1651,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) + void * XMLCALL + XML_GetBuffer(XML_Parser parser, int len) + { ++/* BEGIN MOZILLA CHANGE (sanity check len) */ ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + switch (ps_parsing) { + case XML_SUSPENDED: + errorCode = XML_ERROR_SUSPENDED; +@@ -1662,8 +1668,13 @@ XML_GetBuffer(XML_Parser parser, int len) + } + + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ + int neededSize = len + (int)(bufferEnd - bufferPtr); ++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + #ifdef XML_CONTEXT_BYTES + int keep = (int)(bufferPtr - buffer); + +@@ -1692,7 +1703,15 @@ XML_GetBuffer(XML_Parser parser, int len) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ ++ } while (bufferSize < neededSize && bufferSize > 0); ++/* END MOZILLA CHANGE */ ++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + newBuf = (char *)MALLOC(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; +-- +2.2.1 + |