File expat-2.1.0-CVE-2016-9063.patch of Package expat.7212
From d4f735b88d9932bd5039df2335eefdd0723dbe20 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 12 Apr 2017 23:55:45 +0200
Subject: [PATCH] Detect integer overflow (CVE-2016-9063)
Needs XML_CONTEXT_BYTES to be _undefined_ to trigger,
default is defined and set to 1024.
Previously patched downstream, e.g.
https://sources.debian.net/src/expat/2.2.0-2/debian/patches/CVE-2016-9063.patch/
https://bug1274777.bmoattachments.org/attachment.cgi?id=8755538
This version avoids undefined behavior from _signed_ integer overflow.
Signed-off-by: Pascal Cuoq <cuoq@trust-in-soft.com>
---
expat/lib/xmlparse.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index b62d7898..a8377a88 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -1633,11 +1633,14 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
nLeftOver = s + len - end;
if (nLeftOver) {
if (buffer == NULL || nLeftOver > bufferLim - buffer) {
- /* FIXME avoid integer overflow */
- char *temp;
- temp = (buffer == NULL
- ? (char *)MALLOC(len * 2)
- : (char *)REALLOC(buffer, len * 2));
+ /* avoid _signed_ integer overflow */
+ char *temp = NULL;
+ const int bytesToAllocate = (int)((unsigned)len * 2U);
+ if (bytesToAllocate > 0) {
+ temp = (buffer == NULL
+ ? (char *)MALLOC(bytesToAllocate)
+ : (char *)REALLOC(buffer, bytesToAllocate));
+ }
if (temp == NULL) {
errorCode = XML_ERROR_NO_MEMORY;
eventPtr = eventEndPtr = NULL;
@@ -1645,7 +1648,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
return XML_STATUS_ERROR;
}
buffer = temp;
- bufferLim = buffer + len * 2;
+ bufferLim = buffer + bytesToAllocate;
}
memcpy(buffer, end, nLeftOver);
}