34cf7934c3
Note, CVE-2015-1283 is already patched in expat version 2.1.1 but, as explained in the patch, the fix was insufficient.
37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
|
|
From: Pascal Cuoq <cuoq@trust-in-soft.com>
|
|
Date: Sun, 15 May 2016 09:05:46 +0200
|
|
Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It
|
|
does not really work: https://godbolt.org/g/Zl8gdF
|
|
|
|
---
|
|
expat/lib/xmlparse.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
index 13e080d..cdb12ef 100644
|
|
--- a/lib/xmlparse.c
|
|
+++ b/lib/xmlparse.c
|
|
@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len)
|
|
}
|
|
|
|
if (len > bufferLim - bufferEnd) {
|
|
- int neededSize = len + (int)(bufferEnd - bufferPtr);
|
|
+ /* Do not invoke signed arithmetic overflow: */
|
|
+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
|
|
if (neededSize < 0) {
|
|
errorCode = XML_ERROR_NO_MEMORY;
|
|
return NULL;
|
|
@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len)
|
|
if (bufferSize == 0)
|
|
bufferSize = INIT_BUFFER_SIZE;
|
|
do {
|
|
- bufferSize *= 2;
|
|
+ /* Do not invoke signed arithmetic overflow: */
|
|
+ bufferSize = (int) (2U * (unsigned) bufferSize);
|
|
} while (bufferSize < neededSize && bufferSize > 0);
|
|
if (bufferSize <= 0) {
|
|
errorCode = XML_ERROR_NO_MEMORY;
|
|
--
|
|
2.8.2
|
|
|