nixpkgs/pkgs/development/libraries/expat/CVE-2015-1283-refix.patch

From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
From: Pascal Cuoq <cuoq@trust-in-soft.com>
Date: Sun, 15 May 2016 09:05:46 +0200
Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It
 does not really work: https://godbolt.org/g/Zl8gdF

---
 expat/lib/xmlparse.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 13e080d..cdb12ef 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len)
   }
 
   if (len > bufferLim - bufferEnd) {
-    int neededSize = len + (int)(bufferEnd - bufferPtr);
+    /* Do not invoke signed arithmetic overflow: */
+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
     if (neededSize < 0) {
       errorCode = XML_ERROR_NO_MEMORY;
       return NULL;
@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len)
       if (bufferSize == 0)
         bufferSize = INIT_BUFFER_SIZE;
       do {
-        bufferSize *= 2;
+        /* Do not invoke signed arithmetic overflow: */
+        bufferSize = (int) (2U * (unsigned) bufferSize);
       } while (bufferSize < neededSize && bufferSize > 0);
       if (bufferSize <= 0) {
         errorCode = XML_ERROR_NO_MEMORY;
-- 
2.8.2
expat: patch CVE-2015-1283 and CVE-2016-0718 (close #15561) Note, CVE-2015-1283 is already patched in expat version 2.1.1 but, as explained in the patch, the fix was insufficient. 2016-05-19 20:40:04 +01:00			`From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001`
			`From: Pascal Cuoq <cuoq@trust-in-soft.com>`
			`Date: Sun, 15 May 2016 09:05:46 +0200`
			`Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It`
			`does not really work: https://godbolt.org/g/Zl8gdF`

			`---`
			`expat/lib/xmlparse.c \| 6 ++++--`
			`1 file changed, 4 insertions(+), 2 deletions(-)`

			`diff --git a/lib/xmlparse.c b/lib/xmlparse.c`
			`index 13e080d..cdb12ef 100644`
			`--- a/lib/xmlparse.c`
			`+++ b/lib/xmlparse.c`
			`@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len)`
			`}`

			`if (len > bufferLim - bufferEnd) {`
			`- int neededSize = len + (int)(bufferEnd - bufferPtr);`
			`+ /* Do not invoke signed arithmetic overflow: */`
			`+ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));`
			`if (neededSize < 0) {`
			`errorCode = XML_ERROR_NO_MEMORY;`
			`return NULL;`
			`@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len)`
			`if (bufferSize == 0)`
			`bufferSize = INIT_BUFFER_SIZE;`
			`do {`
			`- bufferSize *= 2;`
			`+ /* Do not invoke signed arithmetic overflow: */`
			`+ bufferSize = (int) (2U * (unsigned) bufferSize);`
			`} while (bufferSize < neededSize && bufferSize > 0);`
			`if (bufferSize <= 0) {`
			`errorCode = XML_ERROR_NO_MEMORY;`
			`--`
			`2.8.2`