Author: sls Date: Thu Nov 20 01:09:14 2008 GMT Module: SOURCES Tag: HEAD ---- Log message: - from Fedora
---- Files affected: SOURCES: libxml2-CVE-2008-4225.patch (NONE -> 1.1) (NEW), libxml2-CVE-2008-4226.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: SOURCES/libxml2-CVE-2008-4225.patch diff -u /dev/null SOURCES/libxml2-CVE-2008-4225.patch:1.1 --- /dev/null Thu Nov 20 02:09:15 2008 +++ SOURCES/libxml2-CVE-2008-4225.patch Thu Nov 20 02:09:09 2008 @@ -0,0 +1,26 @@ +--- tree.c.orig 2008-10-31 18:14:00.000000000 -0700 ++++ tree.c 2008-10-31 18:14:35.000000000 -0700 +@@ -14,7 +14,7 @@ + #include "libxml.h" + + #include <string.h> /* for memset() only ! */ +- ++#include <limits.h> + #ifdef HAVE_CTYPE_H + #include <ctype.h> + #endif +@@ -6996,7 +6996,13 @@ + case XML_BUFFER_ALLOC_DOUBLEIT: + /*take care of empty case*/ + newSize = (buf->size ? buf->size*2 : size + 10); +- while (size > newSize) newSize *= 2; ++ while (size > newSize) { ++ if (newSize > UINT_MAX / 2) { ++ xmlTreeErrMemory("growing buffer"); ++ return 0; ++ } ++ newSize *= 2; ++ } + break; + case XML_BUFFER_ALLOC_EXACT: + newSize = size+10; ================================================================ Index: SOURCES/libxml2-CVE-2008-4226.patch diff -u /dev/null SOURCES/libxml2-CVE-2008-4226.patch:1.1 --- /dev/null Thu Nov 20 02:09:16 2008 +++ SOURCES/libxml2-CVE-2008-4226.patch Thu Nov 20 02:09:09 2008 @@ -0,0 +1,38 @@ +--- SAX2.c.orig 2008-01-25 08:10:04.000000000 -0500 ++++ SAX2.c 2008-11-07 05:07:34.000000000 -0500 +@@ -11,6 +11,7 @@ + #include "libxml.h" + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + #include <libxml/xmlmemory.h> + #include <libxml/tree.h> + #include <libxml/parser.h> +@@ -26,6 +27,11 @@ + #include <libxml/HTMLtree.h> + #include <libxml/globals.h> + ++/* Define SIZE_T_MAX unless defined through <limits.h>. */ ++#ifndef SIZE_T_MAX ++# define SIZE_T_MAX ((size_t)-1) ++#endif /* !SIZE_T_MAX */ ++ + /* #define DEBUG_SAX2 */ + /* #define DEBUG_SAX2_TREE */ + +@@ -2445,9 +2451,14 @@ + (xmlDictOwns(ctxt->dict, lastChild->content))) { + lastChild->content = xmlStrdup(lastChild->content); + } ++ if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || ++ (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { ++ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); ++ return; ++ } + if (ctxt->nodelen + len >= ctxt->nodemem) { + xmlChar *newbuf; +- int size; ++ size_t size; + + size = ctxt->nodemem + len; + size *= 2; ================================================================ _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit