SOURCES: libxml2-CVE-2008-4225.patch (NEW), libxml2-CVE-2008-4226.patch (NE...

Wed, 19 Nov 2008 17:09:28 -0800 

Author: sls                          Date: Thu Nov 20 01:09:14 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- from Fedora

---- Files affected:
SOURCES:
   libxml2-CVE-2008-4225.patch (NONE -> 1.1)  (NEW), 
libxml2-CVE-2008-4226.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/libxml2-CVE-2008-4225.patch
diff -u /dev/null SOURCES/libxml2-CVE-2008-4225.patch:1.1
--- /dev/null   Thu Nov 20 02:09:15 2008
+++ SOURCES/libxml2-CVE-2008-4225.patch Thu Nov 20 02:09:09 2008
@@ -0,0 +1,26 @@
+--- tree.c.orig        2008-10-31 18:14:00.000000000 -0700
++++ tree.c     2008-10-31 18:14:35.000000000 -0700
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6996,7 +6996,13 @@
+       case XML_BUFFER_ALLOC_DOUBLEIT:
+           /*take care of empty case*/
+           newSize = (buf->size ? buf->size*2 : size + 10);
+-          while (size > newSize) newSize *= 2;
++          while (size > newSize) {
++              if (newSize > UINT_MAX / 2) {
++                  xmlTreeErrMemory("growing buffer");
++                  return 0;
++              }
++              newSize *= 2;
++          }
+           break;
+       case XML_BUFFER_ALLOC_EXACT:
+           newSize = size+10;

================================================================
Index: SOURCES/libxml2-CVE-2008-4226.patch
diff -u /dev/null SOURCES/libxml2-CVE-2008-4226.patch:1.1
--- /dev/null   Thu Nov 20 02:09:16 2008
+++ SOURCES/libxml2-CVE-2008-4226.patch Thu Nov 20 02:09:09 2008
@@ -0,0 +1,38 @@
+--- SAX2.c.orig        2008-01-25 08:10:04.000000000 -0500
++++ SAX2.c     2008-11-07 05:07:34.000000000 -0500
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX     ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2445,9 +2451,14 @@
+                      (xmlDictOwns(ctxt->dict, lastChild->content))) {
+               lastChild->content = xmlStrdup(lastChild->content);
+           }
++          if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
++              (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++                  xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow 
prevented");
++                  return;
++          }
+           if (ctxt->nodelen + len >= ctxt->nodemem) {
+               xmlChar *newbuf;
+-              int size;
++              size_t size;
+ 
+               size = ctxt->nodemem + len;
+               size *= 2;
================================================================
_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to