This commit is contained in:
Benjamin Peterson 2016-06-11 13:33:17 -07:00
commit b5ad54990f
4 changed files with 27 additions and 7 deletions

View File

@ -139,6 +139,8 @@ Core and Builtins
Library
-------
- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283.
- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
Oststrom

View File

@ -1040,7 +1040,7 @@ XML_GetFeatureList(void);
*/
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1
#define XML_MICRO_VERSION 0
#define XML_MICRO_VERSION 1
#ifdef __cplusplus
}

View File

@ -1550,7 +1550,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
else if (bufferPtr == bufferEnd) {
const char *end;
int nLeftOver;
enum XML_Error result;
enum XML_Status result;
parseEndByteIndex += len;
positionPtr = s;
ps_finalBuffer = (XML_Bool)isFinal;
@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
void * XMLCALL
XML_GetBuffer(XML_Parser parser, int len)
{
if (len < 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
switch (ps_parsing) {
case XML_SUSPENDED:
errorCode = XML_ERROR_SUSPENDED;
@ -1689,10 +1693,16 @@ XML_GetBuffer(XML_Parser parser, int len)
}
if (len > bufferLim - bufferEnd) {
/* FIXME avoid integer overflow */
int neededSize = len + (int)(bufferEnd - bufferPtr);
#ifdef XML_CONTEXT_BYTES
int keep = (int)(bufferPtr - buffer);
int keep;
#endif
int neededSize = len + (int)(bufferEnd - bufferPtr);
if (neededSize < 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
#ifdef XML_CONTEXT_BYTES
keep = (int)(bufferPtr - buffer);
if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES;
@ -1719,7 +1729,11 @@ XML_GetBuffer(XML_Parser parser, int len)
bufferSize = INIT_BUFFER_SIZE;
do {
bufferSize *= 2;
} while (bufferSize < neededSize);
} while (bufferSize < neededSize && bufferSize > 0);
if (bufferSize <= 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
newBuf = (char *)MALLOC(bufferSize);
if (newBuf == 0) {
errorCode = XML_ERROR_NO_MEMORY;
@ -2911,6 +2925,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
unsigned long uriHash = hash_secret_salt;
((XML_Char *)s)[-1] = 0; /* clear flag */
id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
if (!id || !id->prefix)
return XML_ERROR_NO_MEMORY;
b = id->prefix->binding;
if (!b)
return XML_ERROR_UNBOUND_PREFIX;
@ -5475,6 +5491,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
return NULL;
id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
sizeof(PREFIX));
if (!id->prefix)
return NULL;
if (id->prefix->name == poolStart(&dtd->pool))
poolFinish(&dtd->pool);
else

View File

@ -1584,7 +1584,7 @@ initScan(const ENCODING * const *encodingTable,
if (ptr[0] == '\0') {
/* 0 isn't a legal data character. Furthermore a document
entity can only start with ASCII characters. So the only
way this can fail to be big-endian UTF-16 is if it is an
way this can fail to be big-endian UTF-16 if it it's an
external parsed general entity that's labelled as
UTF-16LE.
*/