diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2716.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2716.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2716.patch b/gnu/packages/patches/icecat-CVE-2015-2716.patch new file mode 100644 index 0000000000..ce036a0921 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2716.patch @@ -0,0 +1,62 @@ +From 9dcb4563847cb6e2a8112dca03d2684907f96313 Mon Sep 17 00:00:00 2001 +From: Eric Rahm <erahm@mozilla.com> +Date: Fri, 10 Apr 2015 15:50:23 -0700 +Subject: [PATCH] Bug 1140537 - Sanity check size calculations. r=peterv, + a=abillings + +--- + parser/expat/lib/xmlparse.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c +index 70acf1a..436b735 100644 +--- a/parser/expat/lib/xmlparse.c ++++ b/parser/expat/lib/xmlparse.c +@@ -1651,6 +1651,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) + void * XMLCALL + XML_GetBuffer(XML_Parser parser, int len) + { ++/* BEGIN MOZILLA CHANGE (sanity check len) */ ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + switch (ps_parsing) { + case XML_SUSPENDED: + errorCode = XML_ERROR_SUSPENDED; +@@ -1662,8 +1668,13 @@ XML_GetBuffer(XML_Parser parser, int len) + } + + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ + int neededSize = len + (int)(bufferEnd - bufferPtr); ++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + #ifdef XML_CONTEXT_BYTES + int keep = (int)(bufferPtr - buffer); + +@@ -1692,7 +1703,15 @@ XML_GetBuffer(XML_Parser parser, int len) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ ++ } while (bufferSize < neededSize && bufferSize > 0); ++/* END MOZILLA CHANGE */ ++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + newBuf = (char *)MALLOC(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; +-- +2.2.1 + |