https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2716

Address CVE-2015-2716, which was also called CVE-2015-1283.

https://github.com/libexpat/libexpat/commit/ba0f9c3b40c264b8dd392e02a7a060a8fa54f032.patch

https://github.com/libexpat/libexpat/commit/f0bec73b018caa07d3e75ec8dd967f3785d71bde.patch

--- expat-2.1.0/lib/xmlparse.c.cve2716

+++ expat-2.1.0/lib/xmlparse.c

@@ -1678,6 +1678,10 @@

 void * XMLCALL

 XML_GetBuffer(XML_Parser parser, int len)

 {

+  if (len < 0) {

+    errorCode = XML_ERROR_NO_MEMORY;

+    return NULL;

+  }

   switch (ps_parsing) {

   case XML_SUSPENDED:

     errorCode = XML_ERROR_SUSPENDED;

@@ -1689,8 +1693,11 @@

   }

   if (len > bufferLim - bufferEnd) {

-    /* FIXME avoid integer overflow */

-    int neededSize = len + (int)(bufferEnd - bufferPtr);

+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));

+    if (neededSize < 0) {

+      errorCode = XML_ERROR_NO_MEMORY;

+      return NULL;

+    }

 #ifdef XML_CONTEXT_BYTES

     int keep = (int)(bufferPtr - buffer);

@@ -1718,8 +1725,13 @@

       if (bufferSize == 0)

         bufferSize = INIT_BUFFER_SIZE;

       do {

-        bufferSize *= 2;

-      } while (bufferSize < neededSize);

+        /* Do not invoke signed arithmetic overflow: */

+        bufferSize = (int) (2U * (unsigned) bufferSize);

+      } while (bufferSize < neededSize && bufferSize > 0);

+      if (bufferSize <= 0) {

+        errorCode = XML_ERROR_NO_MEMORY;

+        return NULL;

+      }

       newBuf = (char *)MALLOC(bufferSize);

       if (newBuf == 0) {

         errorCode = XML_ERROR_NO_MEMORY;