Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Fixes for CVE-2016-0718 from upstream.
details: https://anonhg.NetBSD.org/src/rev/1ecc3c154595
branches: trunk
changeset: 345305:1ecc3c154595
user: spz <spz%NetBSD.org@localhost>
date: Tue May 17 23:53:02 2016 +0000
description:
Fixes for CVE-2016-0718 from upstream.
diffstat:
distrib/sets/lists/base/shl.mi | 4 +-
distrib/sets/lists/debug/shl.mi | 4 +-
external/mit/expat/dist/lib/xmlparse.c | 40 +++++---
external/mit/expat/dist/lib/xmltok.c | 121 ++++++++++++++++++-------
external/mit/expat/dist/lib/xmltok.h | 10 +-
external/mit/expat/dist/lib/xmltok_impl.c | 62 ++++++------
external/mit/expat/lib/libexpat/shlib_version | 4 +-
7 files changed, 159 insertions(+), 86 deletions(-)
diffs (truncated from 819 to 300 lines):
diff -r e9be471680b1 -r 1ecc3c154595 distrib/sets/lists/base/shl.mi
--- a/distrib/sets/lists/base/shl.mi Tue May 17 21:03:36 2016 +0000
+++ b/distrib/sets/lists/base/shl.mi Tue May 17 23:53:02 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.771 2016/05/14 14:39:39 spz Exp $
+# $NetBSD: shl.mi,v 1.772 2016/05/17 23:53:02 spz Exp $
#
# Note: Don't delete entries from here - mark them as "obsolete" instead,
# unless otherwise stated below.
@@ -276,7 +276,7 @@
./usr/lib/libexecinfo.so.0.0 base-sys-shlib compatfile
./usr/lib/libexpat.so base-sys-shlib compatfile
./usr/lib/libexpat.so.2 base-sys-shlib compatfile
-./usr/lib/libexpat.so.2.2 base-sys-shlib compatfile
+./usr/lib/libexpat.so.2.3 base-sys-shlib compatfile
./usr/lib/libfetch.so base-sys-shlib compatfile
./usr/lib/libfetch.so.3 base-sys-shlib compatfile
./usr/lib/libfetch.so.3.0 base-sys-shlib compatfile
diff -r e9be471680b1 -r 1ecc3c154595 distrib/sets/lists/debug/shl.mi
--- a/distrib/sets/lists/debug/shl.mi Tue May 17 21:03:36 2016 +0000
+++ b/distrib/sets/lists/debug/shl.mi Tue May 17 23:53:02 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.133 2016/05/14 14:39:39 spz Exp $
+# $NetBSD: shl.mi,v 1.134 2016/05/17 23:53:02 spz Exp $
./usr/libdata/debug/lib base-sys-usr debug,dynamicroot,compatdir
./usr/libdata/debug/lib/libblacklist.so.0.0.debug comp-sys-debug debug,dynamicroot
./usr/libdata/debug/lib/libc.so.12.202.debug comp-sys-debug debug,dynamicroot
@@ -90,7 +90,7 @@
./usr/libdata/debug/usr/lib/libevent_openssl.so.4.0.debug comp-sys-debug debug,compatfile,crypto
./usr/libdata/debug/usr/lib/libevent_pthreads.so.4.0.debug comp-sys-debug debug,compatfile
./usr/libdata/debug/usr/lib/libexecinfo.so.0.0.debug comp-sys-debug debug,compatfile
-./usr/libdata/debug/usr/lib/libexpat.so.2.2.debug comp-sys-debug debug,compatfile
+./usr/libdata/debug/usr/lib/libexpat.so.2.3.debug comp-sys-debug debug,compatfile
./usr/libdata/debug/usr/lib/libfetch.so.3.0.debug comp-sys-debug debug,compatfile
./usr/libdata/debug/usr/lib/libform.so.6.0.debug comp-sys-debug debug,compatfile
./usr/libdata/debug/usr/lib/libg2c.so.2.0.debug comp-sys-debug obsolete
diff -r e9be471680b1 -r 1ecc3c154595 external/mit/expat/dist/lib/xmlparse.c
--- a/external/mit/expat/dist/lib/xmlparse.c Tue May 17 21:03:36 2016 +0000
+++ b/external/mit/expat/dist/lib/xmlparse.c Tue May 17 23:53:02 2016 +0000
@@ -1693,7 +1693,8 @@
}
if (len > bufferLim - bufferEnd) {
- int neededSize = len + (int)(bufferEnd - bufferPtr);
+ /* Do not invoke signed arithmetic overflow: */
+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
if (neededSize < 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
@@ -1725,7 +1726,8 @@
if (bufferSize == 0)
bufferSize = INIT_BUFFER_SIZE;
do {
- bufferSize *= 2;
+ /* Do not invoke signed arithmetic overflow: */
+ bufferSize = (int) (2U * (unsigned) bufferSize);
} while (bufferSize < neededSize && bufferSize > 0);
if (bufferSize <= 0) {
errorCode = XML_ERROR_NO_MEMORY;
@@ -2426,11 +2428,11 @@
for (;;) {
int bufSize;
int convLen;
- XmlConvert(enc,
+ const enum XML_Convert_Result convert_res = XmlConvert(enc,
&fromPtr, rawNameEnd,
(ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
convLen = (int)(toPtr - (XML_Char *)tag->buf);
- if (fromPtr == rawNameEnd) {
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
tag->name.strLen = convLen;
break;
}
@@ -2651,11 +2653,11 @@
if (MUST_CONVERT(enc, s)) {
for (;;) {
ICHAR *dataPtr = (ICHAR *)dataBuf;
- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
*eventEndPP = s;
charDataHandler(handlerArg, dataBuf,
(int)(dataPtr - (ICHAR *)dataBuf));
- if (s == next)
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
break;
*eventPP = s;
}
@@ -3261,11 +3263,11 @@
if (MUST_CONVERT(enc, s)) {
for (;;) {
ICHAR *dataPtr = (ICHAR *)dataBuf;
- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
*eventEndPP = next;
charDataHandler(handlerArg, dataBuf,
(int)(dataPtr - (ICHAR *)dataBuf));
- if (s == next)
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
break;
*eventPP = s;
}
@@ -5342,6 +5344,7 @@
const char *s, const char *end)
{
if (MUST_CONVERT(enc, s)) {
+ enum XML_Convert_Result convert_res;
const char **eventPP;
const char **eventEndPP;
if (enc == encoding) {
@@ -5354,11 +5357,11 @@
}
do {
ICHAR *dataPtr = (ICHAR *)dataBuf;
- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
+ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
*eventEndPP = s;
defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
*eventPP = s;
- } while (s != end);
+ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
}
else
defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
@@ -6163,8 +6166,8 @@
if (!pool->ptr && !poolGrow(pool))
return NULL;
for (;;) {
- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
- if (ptr == end)
+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
break;
if (!poolGrow(pool))
return NULL;
@@ -6248,8 +6251,13 @@
}
}
if (pool->blocks && pool->start == pool->blocks->s) {
- int blockSize = (int)(pool->end - pool->start)*2;
- BLOCK *temp = (BLOCK *)
+ BLOCK *temp;
+ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
+
+ if (blockSize < 0)
+ return XML_FALSE;
+
+ temp = (BLOCK *)
pool->mem->realloc_fcn(pool->blocks,
(offsetof(BLOCK, s)
+ blockSize * sizeof(XML_Char)));
@@ -6264,6 +6272,10 @@
else {
BLOCK *tem;
int blockSize = (int)(pool->end - pool->start);
+
+ if (blockSize < 0)
+ return XML_FALSE;
+
if (blockSize < INIT_BLOCK_SIZE)
blockSize = INIT_BLOCK_SIZE;
else
diff -r e9be471680b1 -r 1ecc3c154595 external/mit/expat/dist/lib/xmltok.c
--- a/external/mit/expat/dist/lib/xmltok.c Tue May 17 21:03:36 2016 +0000
+++ b/external/mit/expat/dist/lib/xmltok.c Tue May 17 23:53:02 2016 +0000
@@ -46,7 +46,7 @@
#define VTABLE VTABLE1, PREFIX(toUtf8), PREFIX(toUtf16)
#define UCS2_GET_NAMING(pages, hi, lo) \
- (namingBitmap[(pages[hi] << 3) + ((lo) >> 5)] & (1 << ((lo) & 0x1F)))
+ (namingBitmap[(pages[hi] << 3) + ((lo) >> 5)] & (1u << ((lo) & 0x1F)))
/* A 2 byte UTF-8 representation splits the characters 11 bits between
the bottom 5 and 6 bits of the bytes. We need 8 bits to index into
@@ -56,7 +56,7 @@
(namingBitmap[((pages)[(((byte)[0]) >> 2) & 7] << 3) \
+ ((((byte)[0]) & 3) << 1) \
+ ((((byte)[1]) >> 5) & 1)] \
- & (1 << (((byte)[1]) & 0x1F)))
+ & (1u << (((byte)[1]) & 0x1F)))
/* A 3 byte UTF-8 representation splits the characters 16 bits between
the bottom 4, 6 and 6 bits of the bytes. We need 8 bits to index
@@ -69,7 +69,7 @@
<< 3) \
+ ((((byte)[1]) & 3) << 1) \
+ ((((byte)[2]) >> 5) & 1)] \
- & (1 << (((byte)[2]) & 0x1F)))
+ & (1u << (((byte)[2]) & 0x1F)))
#define UTF8_GET_NAMING(pages, p, n) \
((n) == 2 \
@@ -318,39 +318,55 @@
UTF8_cval4 = 0xf0
};
-static void PTRCALL
+static enum XML_Convert_Result PTRCALL
utf8_toUtf8(const ENCODING *enc,
const char **fromP, const char *fromLim,
char **toP, const char *toLim)
{
+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
char *to;
const char *from;
if (fromLim - *fromP > toLim - *toP) {
/* Avoid copying partial characters. */
+ res = XML_CONVERT_OUTPUT_EXHAUSTED;
for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--)
if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
break;
}
- for (to = *toP, from = *fromP; from != fromLim; from++, to++)
+ for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
*to = *from;
*fromP = from;
*toP = to;
+
+ if ((to == toLim) && (from < fromLim))
+ return XML_CONVERT_OUTPUT_EXHAUSTED;
+ else
+ return res;
}
-static void PTRCALL
+static enum XML_Convert_Result PTRCALL
utf8_toUtf16(const ENCODING *enc,
const char **fromP, const char *fromLim,
unsigned short **toP, const unsigned short *toLim)
{
+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
unsigned short *to = *toP;
const char *from = *fromP;
- while (from != fromLim && to != toLim) {
+ while (from < fromLim && to < toLim) {
switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
case BT_LEAD2:
+ if (fromLim - from < 2) {
+ res = XML_CONVERT_INPUT_INCOMPLETE;
+ break;
+ }
*to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
from += 2;
break;
case BT_LEAD3:
+ if (fromLim - from < 3) {
+ res = XML_CONVERT_INPUT_INCOMPLETE;
+ break;
+ }
*to++ = (unsigned short)(((from[0] & 0xf) << 12)
| ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
from += 3;
@@ -358,8 +374,14 @@
case BT_LEAD4:
{
unsigned long n;
- if (to + 1 == toLim)
+ if (toLim - to < 2) {
+ res = XML_CONVERT_OUTPUT_EXHAUSTED;
goto after;
+ }
+ if (fromLim - from < 4) {
+ res = XML_CONVERT_INPUT_INCOMPLETE;
+ goto after;
+ }
n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
| ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
n -= 0x10000;
@@ -377,6 +399,7 @@
after:
*fromP = from;
*toP = to;
+ return res;
}
#ifdef XML_NS
@@ -425,7 +448,7 @@
STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_)
};
-static void PTRCALL
+static enum XML_Convert_Result PTRCALL
latin1_toUtf8(const ENCODING *enc,
const char **fromP, const char *fromLim,
char **toP, const char *toLim)
@@ -433,30 +456,35 @@
for (;;) {
unsigned char c;
if (*fromP == fromLim)
- break;
+ return XML_CONVERT_COMPLETED;
c = (unsigned char)**fromP;
if (c & 0x80) {
if (toLim - *toP < 2)
- break;
+ return XML_CONVERT_OUTPUT_EXHAUSTED;
*(*toP)++ = (char)((c >> 6) | UTF8_cval2);
*(*toP)++ = (char)((c & 0x3f) | 0x80);
(*fromP)++;
}
else {
Home |
Main Index |
Thread Index |
Old Index