diff options
| author | Mark Felder <feld@FreeBSD.org> | 2016-06-30 22:36:05 +0000 |
|---|---|---|
| committer | Mark Felder <feld@FreeBSD.org> | 2016-06-30 22:36:05 +0000 |
| commit | 66ce3cb3fad20f73671a530ab942f172afb725ac (patch) | |
| tree | 7895fb425cc0e6e051444b62a5a29af43757ceff /textproc/expat2/files/patch-CVE-2016-4472 | |
| parent | f0208d287590568af9c437eb1e37e71a09561c7c (diff) | |
| download | ports-66ce3cb3fad20f73671a530ab942f172afb725ac.tar.gz ports-66ce3cb3fad20f73671a530ab942f172afb725ac.zip | |
textproc/expat2: Patch vulnerability
This patch resolves a vulnerability that may still exist due to
compiler optimizations. The previous patches for CVE-2015-1283 and
CVE-2015-2716 may not work as intended in some situations.
MFH: 2016Q2
Security: CVE-2016-4472
Notes
Notes:
svn path=/head/; revision=417847
Diffstat (limited to 'textproc/expat2/files/patch-CVE-2016-4472')
| -rw-r--r-- | textproc/expat2/files/patch-CVE-2016-4472 | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/textproc/expat2/files/patch-CVE-2016-4472 b/textproc/expat2/files/patch-CVE-2016-4472 new file mode 100644 index 000000000000..dbce55e07d3d --- /dev/null +++ b/textproc/expat2/files/patch-CVE-2016-4472 @@ -0,0 +1,26 @@ + expat/CMakeLists.txt | 3 +++ + expat/lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 44 insertions(+), 7 deletions(-) + +--- lib/xmlparse.c.orig 2016-06-30 22:23:11 UTC ++++ lib/xmlparse.c +@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len + } + + if (len > bufferLim - bufferEnd) { +- int neededSize = len + (int)(bufferEnd - bufferPtr); ++ /* Do not invoke signed arithmetic overflow: */ ++ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; +@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { +- bufferSize *= 2; ++ /* Do not invoke signed arithmetic overflow: */ ++ bufferSize = (int) (2U * (unsigned) bufferSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; |