Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch
diff options
context:
space:
mode:
Diffstat (limited to 'dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch')
-rw-r--r--dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch102
1 files changed, 0 insertions, 102 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch b/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch
deleted file mode 100644
index 87d0b5977a21..000000000000
--- a/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-This patch backported from libxml2-2.7.2-CVE-2008-422x.patch.
-
-Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-
-Original changelog message:
-Mon Nov 17 16:56:18 CET 2008 Daniel Veillard <daniel@...> (upstream revision 3803)
-
- * SAX2.c parser.c: fix for CVE-2008-4226, a memory overflow
- when building gigantic text nodes, and a bit of cleanup
- to better handled out of memory problem in that code.
- * tree.c: fix for CVE-2008-4225, lack of testing leads to
- a busy loop test assuming one have enough core memory.
-
-diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/SAX2.c libxml2-2.6.32/SAX2.c
---- libxml2-2.6.32.orig/SAX2.c 2008-01-25 05:10:04.000000000 -0800
-+++ libxml2-2.6.32/SAX2.c 2008-12-22 20:42:14.039171616 -0800
-@@ -11,6 +11,7 @@
- #include "libxml.h"
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- #include <libxml/xmlmemory.h>
- #include <libxml/tree.h>
- #include <libxml/parser.h>
-@@ -26,6 +27,11 @@
- #include <libxml/HTMLtree.h>
- #include <libxml/globals.h>
-
-+/* Define SIZE_T_MAX unless defined through <limits.h>. */
-+#ifndef SIZE_T_MAX
-+# define SIZE_T_MAX ((size_t)-1)
-+#endif /* !SIZE_T_MAX */
-+
- /* #define DEBUG_SAX2 */
- /* #define DEBUG_SAX2_TREE */
-
-@@ -2445,9 +2451,14 @@
- (xmlDictOwns(ctxt->dict, lastChild->content))) {
- lastChild->content = xmlStrdup(lastChild->content);
- }
-+ if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
-+ (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
-+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
-+ return;
-+ }
- if (ctxt->nodelen + len >= ctxt->nodemem) {
- xmlChar *newbuf;
-- int size;
-+ size_t size;
-
- size = ctxt->nodemem + len;
- size *= 2;
-diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/tree.c libxml2-2.6.32/tree.c
---- libxml2-2.6.32.orig/tree.c 2008-04-08 06:54:48.000000000 -0700
-+++ libxml2-2.6.32/tree.c 2008-12-22 20:47:22.365674451 -0800
-@@ -14,7 +14,7 @@
- #include "libxml.h"
-
- #include <string.h> /* for memset() only ! */
--
-+#include <limits.h>
- #ifdef HAVE_CTYPE_H
- #include <ctype.h>
- #endif
-@@ -6916,7 +6916,13 @@
- case XML_BUFFER_ALLOC_DOUBLEIT:
- /*take care of empty case*/
- newSize = (buf->size ? buf->size*2 : size + 10);
-- while (size > newSize) newSize *= 2;
-+ while (size > newSize) {
-+ if (newSize > UINT_MAX / 2) {
-+ xmlTreeErrMemory("growing buffer");
-+ return 0;
-+ }
-+ newSize *= 2;
-+ }
- break;
- case XML_BUFFER_ALLOC_EXACT:
- newSize = size+10;
-diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/parser.c libxml2-2.6.32/parser.c
---- libxml2-2.6.32.orig/parser.c 2008-04-08 07:47:58.000000000 -0700
-+++ libxml2-2.6.32/parser.c 2008-12-22 20:42:14.053327110 -0800
-@@ -3758,6 +3758,9 @@
- line = ctxt->input->line;
- col = ctxt->input->col;
- }
-+ /* something really bad happened in the SAX callback */
-+ if (ctxt->instate != XML_PARSER_CONTENT)
-+ return;
- }
- ctxt->input->cur = in;
- if (*in == 0xD) {
-@@ -3838,6 +3841,9 @@
- }
- }
- nbchar = 0;
-+ /* something really bad happened in the SAX callback */
-+ if (ctxt->instate != XML_PARSER_CONTENT)
-+ return;
- }
- count++;
- if (count > 50) {