From e1820d14439abedb1cb1caa5cd9f68bcfcbbd466 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 12 May 2015 23:18:29 -0400 Subject: gnu: icecat: Apply fixes for CVE-2015-{0797,2708,2710,2713,2716}. * gnu/packages/patches/icecat-CVE-2015-0797.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2708-pt4.patch, gnu/packages/patches/icecat-CVE-2015-2710-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2710-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2710-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2713-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2716.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat): Add patches. --- gnu/packages/patches/icecat-CVE-2015-2716.patch | 62 +++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 gnu/packages/patches/icecat-CVE-2015-2716.patch (limited to 'gnu/packages/patches/icecat-CVE-2015-2716.patch') diff --git a/gnu/packages/patches/icecat-CVE-2015-2716.patch b/gnu/packages/patches/icecat-CVE-2015-2716.patch new file mode 100644 index 0000000000..ce036a0921 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2716.patch @@ -0,0 +1,62 @@ +From 9dcb4563847cb6e2a8112dca03d2684907f96313 Mon Sep 17 00:00:00 2001 +From: Eric Rahm +Date: Fri, 10 Apr 2015 15:50:23 -0700 +Subject: [PATCH] Bug 1140537 - Sanity check size calculations. r=peterv, + a=abillings + +--- + parser/expat/lib/xmlparse.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c +index 70acf1a..436b735 100644 +--- a/parser/expat/lib/xmlparse.c ++++ b/parser/expat/lib/xmlparse.c +@@ -1651,6 +1651,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) + void * XMLCALL + XML_GetBuffer(XML_Parser parser, int len) + { ++/* BEGIN MOZILLA CHANGE (sanity check len) */ ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + switch (ps_parsing) { + case XML_SUSPENDED: + errorCode = XML_ERROR_SUSPENDED; +@@ -1662,8 +1668,13 @@ XML_GetBuffer(XML_Parser parser, int len) + } + + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ + int neededSize = len + (int)(bufferEnd - bufferPtr); ++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + #ifdef XML_CONTEXT_BYTES + int keep = (int)(bufferPtr - buffer); + +@@ -1692,7 +1703,15 @@ XML_GetBuffer(XML_Parser parser, int len) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ ++ } while (bufferSize < neededSize && bufferSize > 0); ++/* END MOZILLA CHANGE */ ++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + newBuf = (char *)MALLOC(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; +-- +2.2.1 + -- cgit 1.4.1