diff options
Diffstat (limited to 'source/l/expat/5c168279c5ad4668e5e48fe13374fe7a7de4b573.patch')
-rw-r--r-- | source/l/expat/5c168279c5ad4668e5e48fe13374fe7a7de4b573.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/source/l/expat/5c168279c5ad4668e5e48fe13374fe7a7de4b573.patch b/source/l/expat/5c168279c5ad4668e5e48fe13374fe7a7de4b573.patch deleted file mode 100644 index da0875ab7..000000000 --- a/source/l/expat/5c168279c5ad4668e5e48fe13374fe7a7de4b573.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Wed, 26 Jan 2022 02:36:43 +0100 -Subject: [PATCH 1/2] lib: Prevent integer overflow in doProlog - (CVE-2022-23990) - -The change from "int nameLen" to "size_t nameLen" -addresses the overflow on "nameLen++" in code -"for (; name[nameLen++];)" right above the second -change in the patch. ---- - expat/lib/xmlparse.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c -index 5ce31402..d1d17005 100644 ---- a/expat/lib/xmlparse.c -+++ b/expat/lib/xmlparse.c -@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, - if (dtd->in_eldecl) { - ELEMENT_TYPE *el; - const XML_Char *name; -- int nameLen; -+ size_t nameLen; - const char *nxt - = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); - int myindex = nextScaffoldPart(parser); -@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, - nameLen = 0; - for (; name[nameLen++];) - ; -- dtd->contentStringLen += nameLen; -+ -+ /* Detect and prevent integer overflow */ -+ if (nameLen > UINT_MAX - dtd->contentStringLen) { -+ return XML_ERROR_NO_MEMORY; -+ } -+ -+ dtd->contentStringLen += (unsigned)nameLen; - if (parser->m_elementDeclHandler) - handleDefault = XML_FALSE; - } - -From 6e3449594fb2f61c92fc561f51f82196fdd15d63 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Wed, 26 Jan 2022 02:51:39 +0100 -Subject: [PATCH 2/2] Changes: Document CVE-2022-23990 - ---- - expat/Changes | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/expat/Changes b/expat/Changes -index 5ff5da5e..ec1f7604 100644 ---- a/expat/Changes -+++ b/expat/Changes -@@ -10,12 +10,18 @@ Release x.x.x xxx xxxxxxx xx xxxx - for when XML_CONTEXT_BYTES is defined to >0 (which is both - common and default). - Impact is denial of service or more. -+ #551 CVE-2022-23990 -- Fix unsigned integer overflow in function -+ doProlog triggered by large content in element type -+ declarations when there is an element declaration handler -+ present (from a prior call to XML_SetElementDeclHandler). -+ Impact is denial of service or more. - - Bug fixes: - #544 #545 xmlwf: Fix a memory leak on output file opening error - - Special thanks to: - hwt0415 -+ Roland Illig - Samanta Navarro - and - Clang LeakSan and the Clang team |