Issue 1224303003: Apply a patch to prevent an integer overflow in expat.

Issue 1224303003: Apply a patch to prevent an integer overflow in expat. (Closed)

Created:
5 years, 5 months ago by Martin Barbella

Modified:
5 years, 3 months ago

Reviewers:
daniel.gutson, wrowe

CC:
chromium-reviews

Base URL:
https://chromium.googlesource.com/chromium/src.git@2403

Target Ref:
refs/pending/branch-heads/2403

Project:
chromium

Visibility:
Public.

More Reviews

Description

Apply a patch to prevent an integer overflow in expat. See https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ for Mozilla's advisory. Patch taken from https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c BUG=492052 Review URL: https://codereview.chromium.org/1151263010 Cr-Commit-Position: refs/heads/master@{#332964} (cherry picked from commit 84ee0ec84f9de080e7d0e84dae6399d12c519d72) Committed: https://chromium.googlesource.com/chromium/src/+/33f223ef93963e0efd0360445b28ce630f59bdc5

Patch Set 1 #

Total comments: 3

Created: 5 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+24 lines, -2 lines)			Patch
M	third_party/expat/README.chromium	View	2 chunks	+4 lines, -1 line	0 comments	Download
M	third_party/expat/files/lib/xmlparse.c	View	3 chunks	+21 lines, -2 lines	3 comments	Download
A +	third_party/expat/files/lib/xmlparse.c.original	View	0 chunks	+-1 lines, --1 lines	0 comments	Download

Messages

Total messages: 6 (2 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Martin Barbella

Committed patchset #1 (id:1) manually as 33f223ef93963e0efd0360445b28ce630f59bdc5.

5 years, 5 months ago (2015-07-10 16:54:21 UTC) #1

https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c File third_party/expat/files/lib/xmlparse.c (right): https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c#newcode1733 third_party/expat/files/lib/xmlparse.c:1733: /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) ...

5 years, 5 months ago (2015-07-26 22:35:06 UTC) #2

wrowe

Simple suggestion for C89 correctness. https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c File third_party/expat/files/lib/xmlparse.c (right): https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c#newcode1698 third_party/expat/files/lib/xmlparse.c:1698: int neededSize = len ...

5 years, 4 months ago (2015-08-06 18:45:51 UTC) #4

daniel.gutson

5 years, 3 months ago (2015-09-01 13:17:04 UTC) #6

Message was sent while issue was closed.

I recommend using size_t rather than signed integers.

https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib...
File third_party/expat/files/lib/xmlparse.c (right):

https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib...
third_party/expat/files/lib/xmlparse.c:1698: int neededSize = len +
(int)(bufferEnd - bufferPtr);
May I ask why are you using signed types? A size should always be positive;
moreover, the type should be size_t

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages