summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Felder <feld@FreeBSD.org>2016-06-30 22:36:53 +0000
committerMark Felder <feld@FreeBSD.org>2016-06-30 22:36:53 +0000
commit859c6d655ba8ec51549be3d8f52a302e7023d4ad (patch)
tree29e5b076aacf78c05d6245f72a8c3218c8ec4dea
parentMFH: r417698 (diff)
MFH: r4178472016Q2
textproc/expat2: Patch vulnerability This patch resolves a vulnerability that may still exist due to compiler optimizations. The previous patches for CVE-2015-1283 and CVE-2015-2716 may not work as intended in some situations. Security: CVE-2016-4472 Approved by: ports-secteam (with hat)
Notes
Notes: svn path=/branches/2016Q2/; revision=417848
-rw-r--r--textproc/expat2/Makefile2
-rw-r--r--textproc/expat2/files/patch-CVE-2016-447226
2 files changed, 27 insertions, 1 deletions
diff --git a/textproc/expat2/Makefile b/textproc/expat2/Makefile
index 00273026a61f..db9e46924291 100644
--- a/textproc/expat2/Makefile
+++ b/textproc/expat2/Makefile
@@ -3,7 +3,7 @@
PORTNAME= expat
PORTVERSION= 2.1.1
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= textproc
MASTER_SITES= SF
diff --git a/textproc/expat2/files/patch-CVE-2016-4472 b/textproc/expat2/files/patch-CVE-2016-4472
new file mode 100644
index 000000000000..dbce55e07d3d
--- /dev/null
+++ b/textproc/expat2/files/patch-CVE-2016-4472
@@ -0,0 +1,26 @@
+ expat/CMakeLists.txt | 3 +++
+ expat/lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 44 insertions(+), 7 deletions(-)
+
+--- lib/xmlparse.c.orig 2016-06-30 22:23:11 UTC
++++ lib/xmlparse.c
+@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len
+ }
+
+ if (len > bufferLim - bufferEnd) {
+- int neededSize = len + (int)(bufferEnd - bufferPtr);
++ /* Do not invoke signed arithmetic overflow: */
++ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
+ if (neededSize < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len
+ if (bufferSize == 0)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+- bufferSize *= 2;
++ /* Do not invoke signed arithmetic overflow: */
++ bufferSize = (int) (2U * (unsigned) bufferSize);
+ } while (bufferSize < neededSize && bufferSize > 0);
+ if (bufferSize <= 0) {
+ errorCode = XML_ERROR_NO_MEMORY;