From 196d7db3956f4c0b03e87b570771b3460a61bab5 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sat, 11 Jun 2016 13:28:56 -0700 Subject: [PATCH] upgrade expt to 2.1.1 (closes #26556) --- Misc/NEWS | 2 ++ Modules/expat/expat.h | 2 +- Modules/expat/xmlparse.c | 28 +++++++++++++++++++++++----- Modules/expat/xmltok.c | 2 +- 4 files changed, 27 insertions(+), 7 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 92e1a809fe6..cb74a78aff9 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -19,6 +19,8 @@ Core and Builtins Library ------- +- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283. + - Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team Oststrom diff --git a/Modules/expat/expat.h b/Modules/expat/expat.h index 06b5de0f446..e8eefddc6d8 100644 --- a/Modules/expat/expat.h +++ b/Modules/expat/expat.h @@ -1040,7 +1040,7 @@ XML_GetFeatureList(void); */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 1 -#define XML_MICRO_VERSION 0 +#define XML_MICRO_VERSION 1 #ifdef __cplusplus } diff --git a/Modules/expat/xmlparse.c b/Modules/expat/xmlparse.c index 0ac0317b8e1..412838794d7 100644 --- a/Modules/expat/xmlparse.c +++ b/Modules/expat/xmlparse.c @@ -1550,7 +1550,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) else if (bufferPtr == bufferEnd) { const char *end; int nLeftOver; - enum XML_Error result; + enum XML_Status result; parseEndByteIndex += len; positionPtr = s; ps_finalBuffer = (XML_Bool)isFinal; @@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,10 +1693,16 @@ XML_GetBuffer(XML_Parser parser, int len) } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ - int neededSize = len + (int)(bufferEnd - bufferPtr); #ifdef XML_CONTEXT_BYTES - int keep = (int)(bufferPtr - buffer); + int keep; +#endif + int neededSize = len + (int)(bufferEnd - bufferPtr); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +#ifdef XML_CONTEXT_BYTES + keep = (int)(bufferPtr - buffer); if (keep > XML_CONTEXT_BYTES) keep = XML_CONTEXT_BYTES; @@ -1719,7 +1729,11 @@ XML_GetBuffer(XML_Parser parser, int len) bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; @@ -2911,6 +2925,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, unsigned long uriHash = hash_secret_salt; ((XML_Char *)s)[-1] = 0; /* clear flag */ id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0); + if (!id || !id->prefix) + return XML_ERROR_NO_MEMORY; b = id->prefix->binding; if (!b) return XML_ERROR_UNBOUND_PREFIX; @@ -5475,6 +5491,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, return NULL; id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool), sizeof(PREFIX)); + if (!id->prefix) + return NULL; if (id->prefix->name == poolStart(&dtd->pool)) poolFinish(&dtd->pool); else diff --git a/Modules/expat/xmltok.c b/Modules/expat/xmltok.c index fd6bf7a3d18..205c07eb848 100644 --- a/Modules/expat/xmltok.c +++ b/Modules/expat/xmltok.c @@ -1584,7 +1584,7 @@ initScan(const ENCODING * const *encodingTable, if (ptr[0] == '\0') { /* 0 isn't a legal data character. Furthermore a document entity can only start with ASCII characters. So the only - way this can fail to be big-endian UTF-16 is if it is an + way this can fail to be big-endian UTF-16 if it it's an external parsed general entity that's labelled as UTF-16LE. */