rpms / firefox

Clone
Source Code
GIT

Blame SOURCES/expat-CVE-2022-25315.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-plus c8 c8-beta c8-containeronly-stream-flatpak c8-init-modify c8-init-modify2 c8s c9 c9-beta c9-containeronly-stream-flatpak
  1.   9728d7f53514d673cec20bbe7094511bc5c5f4af
  2.   SOURCES
  3.   expat-CVE-2022-25315.patch
Blob History Raw
9728d7 
diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 firefox-91.7.0/parser/expat/lib/xmlparse.c
9728d7 
--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315	2022-03-02 18:17:50.966583254 +0100
9728d7 
+++ firefox-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:19:27.636924735 +0100
9728d7 
@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser)
9728d7 
   while (tag) {
9728d7 
     int bufSize;
9728d7 
     int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
9728d7 
+    size_t rawNameLen;
9728d7 
     char *rawNameBuf = tag->buf + nameLen;
9728d7 
     /* Stop if already stored.  Since tagStack is a stack, we can stop
9728d7 
        at the first entry that has already been copied; everything
9728d7 
@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser)
9728d7 
     /* For re-use purposes we need to ensure that the
9728d7 
        size of tag->buf is a multiple of sizeof(XML_Char).
9728d7 
     */
9728d7 
-    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
9728d7 
+    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
9728d7 
+    /* Detect and prevent integer overflow. */
9728d7 
+    if (rawNameLen > (size_t)INT_MAX - nameLen)
9728d7 
+      return XML_FALSE;
9728d7 
+    bufSize = nameLen + (int)rawNameLen;
9728d7 
     if (bufSize > tag->bufEnd - tag->buf) {
9728d7 
       char *temp = (char *)REALLOC(tag->buf, bufSize);
9728d7 
       if (temp == NULL)

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation