131 lines
5.3 KiB
Diff
131 lines
5.3 KiB
Diff
|
$NetBSD: patch-CVE-2016-0718-1,v 1.1 2016/05/17 19:15:01 drochner Exp $
|
||
|
|
||
|
also fixes issues with the fix for CVE-2015-1283 (part of expat-2.1.1):
|
||
|
possible undefined compiler behaviour on signed integer overflows
|
||
|
(upstream commit f0bec73b018caa07d3e75ec8dd967f3785d71bde)
|
||
|
|
||
|
--- lib/xmlparse.c.orig 2016-03-12 03:21:09.000000000 +0000
|
||
|
+++ lib/xmlparse.c
|
||
|
@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len
|
||
|
}
|
||
|
|
||
|
if (len > bufferLim - bufferEnd) {
|
||
|
- int neededSize = len + (int)(bufferEnd - bufferPtr);
|
||
|
+ /* Do not invoke signed arithmetic overflow: */
|
||
|
+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
|
||
|
if (neededSize < 0) {
|
||
|
errorCode = XML_ERROR_NO_MEMORY;
|
||
|
return NULL;
|
||
|
@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len
|
||
|
if (bufferSize == 0)
|
||
|
bufferSize = INIT_BUFFER_SIZE;
|
||
|
do {
|
||
|
- bufferSize *= 2;
|
||
|
+ /* Do not invoke signed arithmetic overflow: */
|
||
|
+ bufferSize = (int) (2U * (unsigned) bufferSize);
|
||
|
} while (bufferSize < neededSize && bufferSize > 0);
|
||
|
if (bufferSize <= 0) {
|
||
|
errorCode = XML_ERROR_NO_MEMORY;
|
||
|
@@ -2426,11 +2428,11 @@ doContent(XML_Parser parser,
|
||
|
for (;;) {
|
||
|
int bufSize;
|
||
|
int convLen;
|
||
|
- XmlConvert(enc,
|
||
|
+ const enum XML_Convert_Result convert_res = XmlConvert(enc,
|
||
|
&fromPtr, rawNameEnd,
|
||
|
(ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
|
||
|
convLen = (int)(toPtr - (XML_Char *)tag->buf);
|
||
|
- if (fromPtr == rawNameEnd) {
|
||
|
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
|
||
|
tag->name.strLen = convLen;
|
||
|
break;
|
||
|
}
|
||
|
@@ -2651,11 +2653,11 @@ doContent(XML_Parser parser,
|
||
|
if (MUST_CONVERT(enc, s)) {
|
||
|
for (;;) {
|
||
|
ICHAR *dataPtr = (ICHAR *)dataBuf;
|
||
|
- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
|
||
|
+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
|
||
|
*eventEndPP = s;
|
||
|
charDataHandler(handlerArg, dataBuf,
|
||
|
(int)(dataPtr - (ICHAR *)dataBuf));
|
||
|
- if (s == next)
|
||
|
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
|
||
|
break;
|
||
|
*eventPP = s;
|
||
|
}
|
||
|
@@ -3261,11 +3263,11 @@ doCdataSection(XML_Parser parser,
|
||
|
if (MUST_CONVERT(enc, s)) {
|
||
|
for (;;) {
|
||
|
ICHAR *dataPtr = (ICHAR *)dataBuf;
|
||
|
- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
|
||
|
+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
|
||
|
*eventEndPP = next;
|
||
|
charDataHandler(handlerArg, dataBuf,
|
||
|
(int)(dataPtr - (ICHAR *)dataBuf));
|
||
|
- if (s == next)
|
||
|
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
|
||
|
break;
|
||
|
*eventPP = s;
|
||
|
}
|
||
|
@@ -5342,6 +5344,7 @@ reportDefault(XML_Parser parser, const E
|
||
|
const char *s, const char *end)
|
||
|
{
|
||
|
if (MUST_CONVERT(enc, s)) {
|
||
|
+ enum XML_Convert_Result convert_res;
|
||
|
const char **eventPP;
|
||
|
const char **eventEndPP;
|
||
|
if (enc == encoding) {
|
||
|
@@ -5354,11 +5357,11 @@ reportDefault(XML_Parser parser, const E
|
||
|
}
|
||
|
do {
|
||
|
ICHAR *dataPtr = (ICHAR *)dataBuf;
|
||
|
- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
|
||
|
+ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
|
||
|
*eventEndPP = s;
|
||
|
defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
|
||
|
*eventPP = s;
|
||
|
- } while (s != end);
|
||
|
+ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
|
||
|
}
|
||
|
else
|
||
|
defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
|
||
|
@@ -6163,8 +6166,8 @@ poolAppend(STRING_POOL *pool, const ENCO
|
||
|
if (!pool->ptr && !poolGrow(pool))
|
||
|
return NULL;
|
||
|
for (;;) {
|
||
|
- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
|
||
|
- if (ptr == end)
|
||
|
+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
|
||
|
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
|
||
|
break;
|
||
|
if (!poolGrow(pool))
|
||
|
return NULL;
|
||
|
@@ -6248,8 +6251,13 @@ poolGrow(STRING_POOL *pool)
|
||
|
}
|
||
|
}
|
||
|
if (pool->blocks && pool->start == pool->blocks->s) {
|
||
|
- int blockSize = (int)(pool->end - pool->start)*2;
|
||
|
- BLOCK *temp = (BLOCK *)
|
||
|
+ BLOCK *temp;
|
||
|
+ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
|
||
|
+
|
||
|
+ if (blockSize < 0)
|
||
|
+ return XML_FALSE;
|
||
|
+
|
||
|
+ temp = (BLOCK *)
|
||
|
pool->mem->realloc_fcn(pool->blocks,
|
||
|
(offsetof(BLOCK, s)
|
||
|
+ blockSize * sizeof(XML_Char)));
|
||
|
@@ -6264,6 +6272,10 @@ poolGrow(STRING_POOL *pool)
|
||
|
else {
|
||
|
BLOCK *tem;
|
||
|
int blockSize = (int)(pool->end - pool->start);
|
||
|
+
|
||
|
+ if (blockSize < 0)
|
||
|
+ return XML_FALSE;
|
||
|
+
|
||
|
if (blockSize < INIT_BLOCK_SIZE)
|
||
|
blockSize = INIT_BLOCK_SIZE;
|
||
|
else
|