Commit f0d8ac28 authored by Benjamin Peterson's avatar Benjamin Peterson

upgrade expt to 2.1.1 (closes #26556)

parent 89c90daf
...@@ -19,6 +19,8 @@ Core and Builtins ...@@ -19,6 +19,8 @@ Core and Builtins
Library Library
------- -------
- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283.
- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team - Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
Oststrom Oststrom
......
...@@ -1040,7 +1040,7 @@ XML_GetFeatureList(void); ...@@ -1040,7 +1040,7 @@ XML_GetFeatureList(void);
*/ */
#define XML_MAJOR_VERSION 2 #define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1 #define XML_MINOR_VERSION 1
#define XML_MICRO_VERSION 0 #define XML_MICRO_VERSION 1
#ifdef __cplusplus #ifdef __cplusplus
} }
......
...@@ -1550,7 +1550,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) ...@@ -1550,7 +1550,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
else if (bufferPtr == bufferEnd) { else if (bufferPtr == bufferEnd) {
const char *end; const char *end;
int nLeftOver; int nLeftOver;
enum XML_Error result; enum XML_Status result;
parseEndByteIndex += len; parseEndByteIndex += len;
positionPtr = s; positionPtr = s;
ps_finalBuffer = (XML_Bool)isFinal; ps_finalBuffer = (XML_Bool)isFinal;
...@@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) ...@@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
void * XMLCALL void * XMLCALL
XML_GetBuffer(XML_Parser parser, int len) XML_GetBuffer(XML_Parser parser, int len)
{ {
if (len < 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
switch (ps_parsing) { switch (ps_parsing) {
case XML_SUSPENDED: case XML_SUSPENDED:
errorCode = XML_ERROR_SUSPENDED; errorCode = XML_ERROR_SUSPENDED;
...@@ -1689,10 +1693,16 @@ XML_GetBuffer(XML_Parser parser, int len) ...@@ -1689,10 +1693,16 @@ XML_GetBuffer(XML_Parser parser, int len)
} }
if (len > bufferLim - bufferEnd) { if (len > bufferLim - bufferEnd) {
/* FIXME avoid integer overflow */ #ifdef XML_CONTEXT_BYTES
int keep;
#endif
int neededSize = len + (int)(bufferEnd - bufferPtr); int neededSize = len + (int)(bufferEnd - bufferPtr);
if (neededSize < 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
#ifdef XML_CONTEXT_BYTES #ifdef XML_CONTEXT_BYTES
int keep = (int)(bufferPtr - buffer); keep = (int)(bufferPtr - buffer);
if (keep > XML_CONTEXT_BYTES) if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES; keep = XML_CONTEXT_BYTES;
...@@ -1719,7 +1729,11 @@ XML_GetBuffer(XML_Parser parser, int len) ...@@ -1719,7 +1729,11 @@ XML_GetBuffer(XML_Parser parser, int len)
bufferSize = INIT_BUFFER_SIZE; bufferSize = INIT_BUFFER_SIZE;
do { do {
bufferSize *= 2; bufferSize *= 2;
} while (bufferSize < neededSize); } while (bufferSize < neededSize && bufferSize > 0);
if (bufferSize <= 0) {
errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
newBuf = (char *)MALLOC(bufferSize); newBuf = (char *)MALLOC(bufferSize);
if (newBuf == 0) { if (newBuf == 0) {
errorCode = XML_ERROR_NO_MEMORY; errorCode = XML_ERROR_NO_MEMORY;
...@@ -2911,6 +2925,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, ...@@ -2911,6 +2925,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
unsigned long uriHash = hash_secret_salt; unsigned long uriHash = hash_secret_salt;
((XML_Char *)s)[-1] = 0; /* clear flag */ ((XML_Char *)s)[-1] = 0; /* clear flag */
id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0); id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
if (!id || !id->prefix)
return XML_ERROR_NO_MEMORY;
b = id->prefix->binding; b = id->prefix->binding;
if (!b) if (!b)
return XML_ERROR_UNBOUND_PREFIX; return XML_ERROR_UNBOUND_PREFIX;
...@@ -5475,6 +5491,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, ...@@ -5475,6 +5491,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
return NULL; return NULL;
id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool), id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
sizeof(PREFIX)); sizeof(PREFIX));
if (!id->prefix)
return NULL;
if (id->prefix->name == poolStart(&dtd->pool)) if (id->prefix->name == poolStart(&dtd->pool))
poolFinish(&dtd->pool); poolFinish(&dtd->pool);
else else
......
...@@ -1584,7 +1584,7 @@ initScan(const ENCODING * const *encodingTable, ...@@ -1584,7 +1584,7 @@ initScan(const ENCODING * const *encodingTable,
if (ptr[0] == '\0') { if (ptr[0] == '\0') {
/* 0 isn't a legal data character. Furthermore a document /* 0 isn't a legal data character. Furthermore a document
entity can only start with ASCII characters. So the only entity can only start with ASCII characters. So the only
way this can fail to be big-endian UTF-16 is if it is an way this can fail to be big-endian UTF-16 if it it's an
external parsed general entity that's labelled as external parsed general entity that's labelled as
UTF-16LE. UTF-16LE.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment