From 61bec2305bd7166e6f16eee94f493e9d6f3f2c7e Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 18 Aug 2015 19:30:35 +0000
Subject: [PATCH] Fix multiple integer overflows in expat.

Security:	CVE-2015-1283
Security:	FreeBSD-SA-15:20.expat
Approved by:	so


git-svn-id: svn://svn.freebsd.org/base/releng/9.3@286902 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                     |  5 +++++
 contrib/expat/lib/xmlparse.c | 23 +++++++++++++++++++++--
 sys/conf/newvers.sh          |  2 +-
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/UPDATING b/UPDATING
index 7d95b1d5c..8dcc8fc96 100644
--- a/UPDATING
+++ b/UPDATING
@@ -11,6 +11,11 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20150818:	p23	FreeBSD-SA-15:20.expat
+
+	Fix multiple integer overflows in expat (libbsdxml) XML parser.
+	[SA-15:20]
+
 20150805:	p22	FreeBSD-SA-15:19.routed
 
 	Fix routed remote denial of service vulnerability.
diff --git a/contrib/expat/lib/xmlparse.c b/contrib/expat/lib/xmlparse.c
index f35aa36ba..ede7b5bb6 100644
--- a/contrib/expat/lib/xmlparse.c
+++ b/contrib/expat/lib/xmlparse.c
@@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
+/* END MOZILLA CHANGE */
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;
@@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len)
   }
 
   if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
     int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+/* END MOZILLA CHANGE */
 #ifdef XML_CONTEXT_BYTES
     int keep = (int)(bufferPtr - buffer);
 
@@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len)
         bufferSize = INIT_BUFFER_SIZE;
       do {
         bufferSize *= 2;
-      } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+      } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
+/* END MOZILLA CHANGE */
       newBuf = (char *)MALLOC(bufferSize);
       if (newBuf == 0) {
         errorCode = XML_ERROR_NO_MEMORY;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 97f3fe8d0..f5c1e4f8d 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p22"
+BRANCH="RELEASE-p23"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
-- 
2.42.0