Date: Tue, 18 Aug 2015 19:30:36 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r286902 - in releng: 10.1 10.1/contrib/expat/lib 10.1/sys/conf 9.3 9.3/contrib/expat/lib 9.3/sys/conf Message-ID: <201508181930.t7IJUagT089590@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Aug 18 19:30:35 2015 New Revision: 286902 URL: https://svnweb.freebsd.org/changeset/base/286902 Log: Fix multiple integer overflows in expat. Security: CVE-2015-1283 Security: FreeBSD-SA-15:20.expat Approved by: so Modified: releng/10.1/UPDATING releng/10.1/contrib/expat/lib/xmlparse.c releng/10.1/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/contrib/expat/lib/xmlparse.c releng/9.3/sys/conf/newvers.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/UPDATING Tue Aug 18 19:30:35 2015 (r286902) @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150818: p1 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p17 FreeBSD-SA-15:18.bsdpatch FreeBSD-SA-15:19.routed Modified: releng/10.1/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/10.1/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:35 2015 (r286902) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/sys/conf/newvers.sh Tue Aug 18 19:30:35 2015 (r286902) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p17" +BRANCH="RELEASE-p18" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/UPDATING Tue Aug 18 19:30:35 2015 (r286902) @@ -11,6 +11,11 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20150818: p23 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p22 FreeBSD-SA-15:19.routed Fix routed remote denial of service vulnerability. Modified: releng/9.3/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/9.3/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:35 2015 (r286902) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/sys/conf/newvers.sh Tue Aug 18 19:30:35 2015 (r286902) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p22" +BRANCH="RELEASE-p23" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508181930.t7IJUagT089590>