2 files changed, 65 insertions, 1 deletions
diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
new file mode 100644
index 0000000000..1d0acb6b91
--- /dev/null
+++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
@@ -0,0 +1,62 @@
+Multiple integer overflows in the XML_GetBuffer function in Expat 
+through 2.1.0, allow remote attackers to cause a denial of service 
+(heap-based buffer overflow) or possibly have unspecified other 
+impact via crafted XML data.
+CVSSv2:  (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+CVE: CVE-2015-1283
+Upstream-Status: Backport
+Signed-off-by: Eric Rahm <erahm@mozilla.com>
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
+Index: expat-2.1.0/lib/xmlparse.c
+===================================================================
+--- expat-2.1.0.orig/lib/xmlparse.c     2012-03-11 13:13:12.000000000 +0800
+++ expat-2.1.0/lib/xmlparse.c  2015-12-23 10:29:07.347361329 +0800
+@@ -1678,6 +1678,12 @@
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
+/* END MOZILLA CHANGE */
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;
+@@ -1689,8 +1695,13 @@
+   }
+ 
+   if (len > bufferLim - bufferEnd) {
+-    /* FIXME avoid integer overflow */
+     int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+     int keep = (int)(bufferPtr - buffer);
+ 
+@@ -1719,7 +1730,15 @@
+         bufferSize = INIT_BUFFER_SIZE;
+       do {
+         bufferSize *= 2;
+-      } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+      } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
+/* END MOZILLA CHANGE */
+       newBuf = (char *)MALLOC(bufferSize);
+       if (newBuf == 0) {
+         errorCode = XML_ERROR_NO_MEMORY;
diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc
index 6dfafe94d2..4bd60a2a6d 100644
--- a/meta/recipes-core/expat/expat.inc
+++ b/meta/recipes-core/expat/expat.inc
@@ -5,7 +5,9 @@ SECTION = "libs"
 LICENSE = "MIT"
 SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \
-           file://autotools.patch"
+           file://autotools.patch \
+           file://expat-CVE-2015-1283.patch \
+          "
 inherit autotools lib_package gzipnative

diff --git a/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch new file mode 100644 index 0000000000..1d0acb6b91 --- /dev/null +++ b/meta/recipes-core/expat/expat-2.1.0/expat-CVE-2015-1283.patch
@@ -0,0 +1,62 @@
		1	Multiple integer overflows in the XML_GetBuffer function in Expat
		2	through 2.1.0, allow remote attackers to cause a denial of service
		3	(heap-based buffer overflow) or possibly have unspecified other
		4	impact via crafted XML data.
		5
		6	CVSSv2: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
		7
		8	CVE: CVE-2015-1283
		9	Upstream-Status: Backport
		10
		11	Signed-off-by: Eric Rahm <erahm@mozilla.com>
		12	Signed-off-by: Zhixiong Chi <zhixiong.chi@windirver.com>
		13
		14	Index: expat-2.1.0/lib/xmlparse.c
		15	===================================================================
		16	--- expat-2.1.0.orig/lib/xmlparse.c 2012-03-11 13:13:12.000000000 +0800
		17	+++ expat-2.1.0/lib/xmlparse.c 2015-12-23 10:29:07.347361329 +0800
		18	@@ -1678,6 +1678,12 @@
		19	void * XMLCALL
		20	XML_GetBuffer(XML_Parser parser, int len)
		21	{
		22	+/* BEGIN MOZILLA CHANGE (sanity check len) */
		23	+ if (len < 0) {
		24	+ errorCode = XML_ERROR_NO_MEMORY;
		25	+ return NULL;
		26	+ }
		27	+/* END MOZILLA CHANGE */
		28	switch (ps_parsing) {
		29	case XML_SUSPENDED:
		30	errorCode = XML_ERROR_SUSPENDED;
		31	@@ -1689,8 +1695,13 @@
		32	}
		33
		34	if (len > bufferLim - bufferEnd) {
		35	- /* FIXME avoid integer overflow */
		36	int neededSize = len + (int)(bufferEnd - bufferPtr);
		37	+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
		38	+ if (neededSize < 0) {
		39	+ errorCode = XML_ERROR_NO_MEMORY;
		40	+ return NULL;
		41	+ }
		42	+/* END MOZILLA CHANGE */
		43	#ifdef XML_CONTEXT_BYTES
		44	int keep = (int)(bufferPtr - buffer);
		45
		46	@@ -1719,7 +1730,15 @@
		47	bufferSize = INIT_BUFFER_SIZE;
		48	do {
		49	bufferSize *= 2;
		50	- } while (bufferSize < neededSize);
		51	+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
		52	+ } while (bufferSize < neededSize && bufferSize > 0);
		53	+/* END MOZILLA CHANGE */
		54	+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
		55	+ if (bufferSize <= 0) {
		56	+ errorCode = XML_ERROR_NO_MEMORY;
		57	+ return NULL;
		58	+ }
		59	+/* END MOZILLA CHANGE */
		60	newBuf = (char *)MALLOC(bufferSize);
		61	if (newBuf == 0) {
		62	errorCode = XML_ERROR_NO_MEMORY;


diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc index 6dfafe94d2..4bd60a2a6d 100644 --- a/meta/recipes-core/expat/expat.inc +++ b/meta/recipes-core/expat/expat.inc
@@ -5,7 +5,9 @@ SECTION = "libs"
5	LICENSE = "MIT"	5	LICENSE = "MIT"
6		6
7	SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \	7	SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.gz \
8	file://autotools.patch"	8	file://autotools.patch \
		9	file://expat-CVE-2015-1283.patch \
		10	"
9		11
10	inherit autotools lib_package gzipnative	12	inherit autotools lib_package gzipnative
11		13