head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2012Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2012.09.15.10.23.39; author adam; state dead; branches; next 1.1; 1.1 date 2012.08.01.14.51.37; author drochner; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2012.08.01.14.51.37; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2012.08.09.18.05.03; author tron; state Exp; branches; next ; desc @@ 1.2 log @Changes 2.9.0: Features: * A few new API entry points, * More resilient push parser mode, * A lot of portability improvement, * Faster XPath evaluation @ text @$NetBSD: patch-bb,v 1.1 2012/08/01 14:51:37 drochner Exp $ upstream commits 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 and baaf03f80f817bb34c421421e6cb4d68c353ac9a related to CVE-2012-2807 --- entities.c.orig 2010-02-15 10:58:14.000000000 +0000 +++ entities.c @@@@ -528,13 +528,13 @@@@ xmlGetDocEntity(xmlDocPtr doc, const xml * Macro used to grow the current buffer. */ #define growBufferReentrant() { \ - buffer_size *= 2; \ - buffer = (xmlChar *) \ - xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ - if (buffer == NULL) { \ - xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ - return(NULL); \ - } \ + xmlChar *tmp; \ + size_t new_size = buffer_size * 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ + buffer_size = new_size; \ } @@@@ -555,7 +555,7 @@@@ xmlEncodeEntitiesReentrant(xmlDocPtr doc const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; int html = 0; if (input == NULL) return(NULL); @@@@ -574,8 +574,8 @@@@ xmlEncodeEntitiesReentrant(xmlDocPtr doc out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 100) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 100 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@@@ -692,6 +692,11 @@@@ xmlEncodeEntitiesReentrant(xmlDocPtr doc } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); + xmlFree(buffer); + return(NULL); } /** @@@@ -709,7 +714,7 @@@@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; if (input == NULL) return(NULL); /* @@@@ -724,8 +729,8 @@@@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 10) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 10 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@@@ -774,6 +779,11 @@@@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); + xmlFree(buffer); + return(NULL); } /** @ 1.1 log @add patches from upstream to fix integer overflows which can cause DOS or possibly other corruption (CVE-2012-2807) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-bb was added on branch pkgsrc-2012Q2 on 2012-08-09 18:05:03 +0000 @ text @d1 93 @ 1.1.2.2 log @Pullup ticket #3890 - requested by drochner textproc/libxml2: security patch Revisions pulled up: - textproc/libxml2/Makefile 1.119 - textproc/libxml2/distinfo 1.94 - textproc/libxml2/patches/patch-ba 1.1 - textproc/libxml2/patches/patch-bb 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Wed Aug 1 14:51:37 UTC 2012 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/patches: patch-ba patch-bb Log Message: add patches from upstream to fix integer overflows which can cause DOS or possibly other corruption (CVE-2012-2807) bump PKGREV @ text @a0 93 $NetBSD$ upstream commits 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 and baaf03f80f817bb34c421421e6cb4d68c353ac9a related to CVE-2012-2807 --- entities.c.orig 2010-02-15 10:58:14.000000000 +0000 +++ entities.c @@@@ -528,13 +528,13 @@@@ xmlGetDocEntity(xmlDocPtr doc, const xml * Macro used to grow the current buffer. */ #define growBufferReentrant() { \ - buffer_size *= 2; \ - buffer = (xmlChar *) \ - xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ - if (buffer == NULL) { \ - xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ - return(NULL); \ - } \ + xmlChar *tmp; \ + size_t new_size = buffer_size * 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ + buffer_size = new_size; \ } @@@@ -555,7 +555,7 @@@@ xmlEncodeEntitiesReentrant(xmlDocPtr doc const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; int html = 0; if (input == NULL) return(NULL); @@@@ -574,8 +574,8 @@@@ xmlEncodeEntitiesReentrant(xmlDocPtr doc out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 100) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 100 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@@@ -692,6 +692,11 @@@@ xmlEncodeEntitiesReentrant(xmlDocPtr doc } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); + xmlFree(buffer); + return(NULL); } /** @@@@ -709,7 +714,7 @@@@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR const xmlChar *cur = input; xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; if (input == NULL) return(NULL); /* @@@@ -724,8 +729,8 @@@@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR out = buffer; while (*cur != '\0') { - if (out - buffer > buffer_size - 10) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 10 > buffer_size) { growBufferReentrant(); out = &buffer[indx]; @@@@ -774,6 +779,11 @@@@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR } *out = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); + xmlFree(buffer); + return(NULL); } /** @