upgrade expt to 2.1.1 (closes #26556)

f0d8ac28 · Benjamin Peterson · 89c90daf · f0d8ac28 · f0d8ac28 · f0d8ac28
Commit f0d8ac28 authored Jun 11, 2016 by Benjamin Peterson
Showing with 26 additions and 6 deletions

Misc/NEWS Misc/NEWS +2 -0

Modules/expat/expat.h Modules/expat/expat.h +1 -1

Modules/expat/xmlparse.c Modules/expat/xmlparse.c +22 -4

Modules/expat/xmltok.c Modules/expat/xmltok.c +1 -1

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -19,6 +19,8 @@ Core and Builtins
 Library
 -------

+- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283.
+
 - Fix TLS stripping vulnerability in smptlib, CVE-2016-0772.  Reported by Team
  Oststrom


--- a/Modules/expat/expat.h
+++ b/Modules/expat/expat.h
@@ -1040,7 +1040,7 @@ XML_GetFeatureList(void);
 */
 #define XML_MAJOR_VERSION 2
 #define XML_MINOR_VERSION 1
-#define XML_MICRO_VERSION 0
+#define XML_MICRO_VERSION 1

 #ifdef __cplusplus
 }

--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -1550,7 +1550,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
  else if (bufferPtr == bufferEnd) {
    const char *end;
    int nLeftOver;
-    enum XML_Error result;
+    enum XML_Status result;
    parseEndByteIndex += len;
    positionPtr = s;
    ps_finalBuffer = (XML_Bool)isFinal;
@@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
  switch (ps_parsing) {
  case XML_SUSPENDED:
    errorCode = XML_ERROR_SUSPENDED;
@@ -1689,10 +1693,16 @@ XML_GetBuffer(XML_Parser parser, int len)
  }

  if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
+#ifdef XML_CONTEXT_BYTES
+    int keep;
+#endif
    int neededSize = len + (int)(bufferEnd - bufferPtr);
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
 #ifdef XML_CONTEXT_BYTES
-    int keep = (int)(bufferPtr - buffer);
+    keep = (int)(bufferPtr - buffer);

    if (keep > XML_CONTEXT_BYTES)
      keep = XML_CONTEXT_BYTES;
@@ -1719,7 +1729,11 @@ XML_GetBuffer(XML_Parser parser, int len)
        bufferSize = INIT_BUFFER_SIZE;
      do {
        bufferSize *= 2;
-      } while (bufferSize < neededSize);
+      } while (bufferSize < neededSize && bufferSize > 0);
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
      newBuf = (char *)MALLOC(bufferSize);
      if (newBuf == 0) {
        errorCode = XML_ERROR_NO_MEMORY;
@@ -2911,6 +2925,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
        unsigned long uriHash = hash_secret_salt;
        ((XML_Char *)s)[-1] = 0;  /* clear flag */
        id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
+        if (!id || !id->prefix)
+          return XML_ERROR_NO_MEMORY;
        b = id->prefix->binding;
        if (!b)
          return XML_ERROR_UNBOUND_PREFIX;
@@ -5475,6 +5491,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
            return NULL;
          id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
                                        sizeof(PREFIX));
+          if (!id->prefix)
+            return NULL;
          if (id->prefix->name == poolStart(&dtd->pool))
            poolFinish(&dtd->pool);
          else

--- a/Modules/expat/xmltok.c
+++ b/Modules/expat/xmltok.c
@@ -1584,7 +1584,7 @@ initScan(const ENCODING * const *encodingTable,
      if (ptr[0] == '\0') {
        /* 0 isn't a legal data character. Furthermore a document
           entity can only start with ASCII characters.  So the only
-           way this can fail to be big-endian UTF-16 is if it is an
+           way this can fail to be big-endian UTF-16 if it it's an
           external parsed general entity that's labelled as
           UTF-16LE.
        */