diff options
author | Mark Felder <feld@FreeBSD.org> | 2016-06-30 22:36:53 +0000 |
---|---|---|
committer | Mark Felder <feld@FreeBSD.org> | 2016-06-30 22:36:53 +0000 |
commit | 859c6d655ba8ec51549be3d8f52a302e7023d4ad (patch) | |
tree | 29e5b076aacf78c05d6245f72a8c3218c8ec4dea | |
parent | MFH: r417698 (diff) |
MFH: r4178472016Q2
textproc/expat2: Patch vulnerability
This patch resolves a vulnerability that may still exist due to
compiler optimizations. The previous patches for CVE-2015-1283 and
CVE-2015-2716 may not work as intended in some situations.
Security: CVE-2016-4472
Approved by: ports-secteam (with hat)
Notes
Notes:
svn path=/branches/2016Q2/; revision=417848
-rw-r--r-- | textproc/expat2/Makefile | 2 | ||||
-rw-r--r-- | textproc/expat2/files/patch-CVE-2016-4472 | 26 |
2 files changed, 27 insertions, 1 deletions
diff --git a/textproc/expat2/Makefile b/textproc/expat2/Makefile index 00273026a61f..db9e46924291 100644 --- a/textproc/expat2/Makefile +++ b/textproc/expat2/Makefile @@ -3,7 +3,7 @@ PORTNAME= expat PORTVERSION= 2.1.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= textproc MASTER_SITES= SF diff --git a/textproc/expat2/files/patch-CVE-2016-4472 b/textproc/expat2/files/patch-CVE-2016-4472 new file mode 100644 index 000000000000..dbce55e07d3d --- /dev/null +++ b/textproc/expat2/files/patch-CVE-2016-4472 @@ -0,0 +1,26 @@ + expat/CMakeLists.txt | 3 +++ + expat/lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 44 insertions(+), 7 deletions(-) + +--- lib/xmlparse.c.orig 2016-06-30 22:23:11 UTC ++++ lib/xmlparse.c +@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len + } + + if (len > bufferLim - bufferEnd) { +- int neededSize = len + (int)(bufferEnd - bufferPtr); ++ /* Do not invoke signed arithmetic overflow: */ ++ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; +@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { +- bufferSize *= 2; ++ /* Do not invoke signed arithmetic overflow: */ ++ bufferSize = (int) (2U * (unsigned) bufferSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; |