Commit 161c4453 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by William Blough

Import Debian changes 3.1.1-5.1

xerces-c (3.1.1-5.1) unstable; urgency=high

  * Non-maintainer upload.
  * Add CVE-2015-0252.patch patch.
    CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
    (Closes: #780827)
parent d4fd5bde
xerces-c (3.1.1-5.1) unstable; urgency=high
* Non-maintainer upload.
* Add CVE-2015-0252.patch patch.
CVE-2015-0252: Apache Xerces-C XML parser crashes on malformed input.
(Closes: #780827)
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 20 Mar 2015 19:40:31 +0100
xerces-c (3.1.1-5) unstable; urgency=medium
* Apply upstream patch for PATH_MAX to enable compilation on GNU hurd.
......
Description: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
The Xerces-C XML parser mishandles certain kinds of malformed input
documents, resulting in a segmentation fault during a parse operation.
Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1667870
Bug-Debian: https://bugs.debian.org/780827
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-03-12
Applied-Upstream: 3.1.2
--- a/src/xercesc/internal/XMLReader.cpp
+++ b/src/xercesc/internal/XMLReader.cpp
@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
while (fRawBufIndex < fRawBytesAvail)
{
+ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
+ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ TranscodingException
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
// Get out the current 4 byte value and inc our raw buf index
UCS4Ch curVal = *asUCS++;
fRawBufIndex += sizeof(UCS4Ch);
@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
while (fRawBufIndex < fRawBytesAvail)
{
+ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
+ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ TranscodingException
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
// Get out the current 2 byte value
UTF16Ch curVal = *asUTF16++;
fRawBufIndex += sizeof(UTF16Ch);
@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
//
void XMLReader::refreshRawBuffer()
{
+ // Security fix: make sure we don't underflow on the subtraction.
+ if (fRawBufIndex > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ RuntimeException
+ , XMLExcepts::Str_StartIndexPastEnd
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
//
// If there are any bytes left, move them down to the start. There
// should only ever be (max bytes per char - 1) at the most.
hurd-path-max.patch
CVE-2015-0252.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment