From cbe5fcb54c7cb4dbded0e7e591672592f1269618 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 18 Aug 2015 19:30:17 +0000
Subject: [PATCH] Fix multiple integer overflows in expat.

Security:	CVE-2015-1283
Security:	FreeBSD-SA-15:20.expat

Fix make(1) syntax errors when upgrading from 9.x and earlier.
[EN-15:11]

Fix incorrect netstat(1) data handling on 32-bit systems.
[EN-15:12]

Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13]

Approved by:	so


git-svn-id: https://svn.freebsd.org/base/releng/10.2@286901 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 Makefile.inc1                    |  4 ++--
 UPDATING                         | 18 +++++++++++++++++-
 contrib/expat/lib/xmlparse.c     | 23 +++++++++++++++++++++--
 sys/conf/newvers.sh              |  2 +-
 usr.bin/netstat/main.c           | 24 ++++++++++++++++++------
 usr.sbin/vidcontrol/vidcontrol.c |  2 +-
 6 files changed, 60 insertions(+), 13 deletions(-)

diff --git a/Makefile.inc1 b/Makefile.inc1
index 7280ad8f9..a296c930c 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -133,8 +133,8 @@ OSRELDATE=	0
 .endif
 
 .if !defined(VERSION)
-REVISION!=	make -C ${SRCDIR}/release -V REVISION
-BRANCH!=	make -C ${SRCDIR}/release -V BRANCH
+REVISION!=	${MAKE} -C ${SRCDIR}/release -V REVISION
+BRANCH!=	${MAKE} -C ${SRCDIR}/release -V BRANCH
 SRCRELDATE!=	awk '/^\#define[[:space:]]*__FreeBSD_version/ { print $$3 }' \
 		${SRCDIR}/sys/sys/param.h
 VERSION=	FreeBSD ${REVISION}-${BRANCH:C/-p[0-9]+$//} ${TARGET_ARCH} ${SRCRELDATE}
diff --git a/UPDATING b/UPDATING
index 5a01e9553..45f4d9775 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,7 +16,23 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
-20150817:
+20150818:	p1	FreeBSD-SA-15:20.expat
+			FreeBSD-EN-15:11.toolchain
+			FreeBSD-EN-15:12.netstat
+			FreeBSD-EN-15:13.vidcontrol
+
+	Fix multiple integer overflows in expat (libbsdxml) XML parser.
+	[SA-15:20]
+
+	Fix make(1) syntax errors when upgrading from 9.x and earlier.
+	[EN-15:11]
+
+	Fix incorrect netstat(1) data handling on 32-bit systems.
+	[EN-15:12]
+
+	Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13]
+
+20150813:
 	10.2-RELEASE.
 
 20150703:
diff --git a/contrib/expat/lib/xmlparse.c b/contrib/expat/lib/xmlparse.c
index f35aa36ba..ede7b5bb6 100644
--- a/contrib/expat/lib/xmlparse.c
+++ b/contrib/expat/lib/xmlparse.c
@@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
+/* END MOZILLA CHANGE */
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;
@@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len)
   }
 
   if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
     int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+/* END MOZILLA CHANGE */
 #ifdef XML_CONTEXT_BYTES
     int keep = (int)(bufferPtr - buffer);
 
@@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len)
         bufferSize = INIT_BUFFER_SIZE;
       do {
         bufferSize *= 2;
-      } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+      } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
+/* END MOZILLA CHANGE */
       newBuf = (char *)MALLOC(bufferSize);
       if (newBuf == 0) {
         errorCode = XML_ERROR_NO_MEMORY;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 7c89ae682..6feea13e7 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 1bfc951db..6a1ab185b 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -785,19 +785,31 @@ kread_counter(u_long addr)
 int
 kread_counters(u_long addr, void *buf, size_t size)
 {
-	uint64_t *c = buf;
+	uint64_t *c;
+	u_long *counters;
+	size_t i, n;
 
 	if (kvmd_init() < 0)
 		return (-1);
 
-	if (kread(addr, buf, size) < 0)
+	if (size % sizeof(uint64_t) != 0) {
+		warnx("kread_counters: invalid counter set size");
 		return (-1);
+	}
 
-	while (size != 0) {
-		*c = kvm_counter_u64_fetch(kvmd, *c);
-		size -= sizeof(*c);
-		c++;
+	n = size / sizeof(uint64_t);
+	if ((counters = malloc(n * sizeof(u_long))) == NULL)
+		err(-1, "malloc");
+	if (kread(addr, counters, n * sizeof(u_long)) < 0) {
+		free(counters);
+		return (-1);
 	}
+
+	c = buf;
+	for (i = 0; i < n; i++)
+		c[i] = kvm_counter_u64_fetch(kvmd, counters[i]);
+
+	free(counters);
 	return (0);
 }
 
diff --git a/usr.sbin/vidcontrol/vidcontrol.c b/usr.sbin/vidcontrol/vidcontrol.c
index 3001f6998..e1981f3ad 100644
--- a/usr.sbin/vidcontrol/vidcontrol.c
+++ b/usr.sbin/vidcontrol/vidcontrol.c
@@ -1343,7 +1343,7 @@ main(int argc, char **argv)
 	if (vt4_mode)
 		opts = "b:Cc:fg:h:Hi:M:m:pPr:S:s:T:t:x";
 	else
-		opts = "b:Cc:df:g:h:Hi:l:LM:m:pPr:S:s:T:t:x";
+		opts = "b:Cc:dfg:h:Hi:l:LM:m:pPr:S:s:T:t:x";
 
 	while ((opt = getopt(argc, argv, opts)) != -1)
 		switch(opt) {
-- 
2.42.0