Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(11)

Issue 1224303003: Apply a patch to prevent an integer overflow in expat. (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
1 year, 10 months ago by Martin Barbella
Modified:
1 year, 8 months ago
Reviewers:
daniel.gutson, wrowe
CC:
chromium-reviews
Base URL:
https://chromium.googlesource.com/chromium/src.git@2403
Target Ref:
refs/pending/branch-heads/2403
Project:
chromium
Visibility:
Public.

Description

Apply a patch to prevent an integer overflow in expat. See https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ for Mozilla's advisory. Patch taken from https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c BUG=492052 Review URL: https://codereview.chromium.org/1151263010 Cr-Commit-Position: refs/heads/master@{#332964} (cherry picked from commit 84ee0ec84f9de080e7d0e84dae6399d12c519d72) Committed: https://chromium.googlesource.com/chromium/src/+/33f223ef93963e0efd0360445b28ce630f59bdc5

Patch Set 1 #

Total comments: 3
Unified diffs Side-by-side diffs Delta from patch set Stats (+24 lines, -2 lines) Patch
M third_party/expat/README.chromium View 2 chunks +4 lines, -1 line 0 comments Download
M third_party/expat/files/lib/xmlparse.c View 3 chunks +21 lines, -2 lines 3 comments Download
A + third_party/expat/files/lib/xmlparse.c.original View 0 chunks +-1 lines, --1 lines 0 comments Download
Trybot results:
Commit queue not available (can’t edit this change).

Messages

Total messages: 6 (2 generated)
Martin Barbella
Committed patchset #1 (id:1) manually as 33f223ef93963e0efd0360445b28ce630f59bdc5.
1 year, 10 months ago (2015-07-10 16:54:21 UTC) #1
VZ
https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c File third_party/expat/files/lib/xmlparse.c (right): https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c#newcode1733 third_party/expat/files/lib/xmlparse.c:1733: /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) ...
1 year, 10 months ago (2015-07-26 22:35:06 UTC) #2
wrowe
Simple suggestion for C89 correctness. https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c File third_party/expat/files/lib/xmlparse.c (right): https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c#newcode1698 third_party/expat/files/lib/xmlparse.c:1698: int neededSize = len ...
1 year, 9 months ago (2015-08-06 18:45:51 UTC) #4
daniel.gutson
1 year, 8 months ago (2015-09-01 13:17:04 UTC) #6
Message was sent while issue was closed.
I recommend using size_t rather than signed integers.

https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib...
File third_party/expat/files/lib/xmlparse.c (right):

https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib...
third_party/expat/files/lib/xmlparse.c:1698: int neededSize = len +
(int)(bufferEnd - bufferPtr);
May I ask why are you using signed types? A size should always be positive;
moreover, the type should be size_t
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 650457f06