From e1820d14439abedb1cb1caa5cd9f68bcfcbbd466 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Tue, 12 May 2015 23:18:29 -0400
Subject: gnu: icecat: Apply fixes for CVE-2015-{0797,2708,2710,2713,2716}.

* gnu/packages/patches/icecat-CVE-2015-0797.patch,
  gnu/packages/patches/icecat-CVE-2015-2708-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2708-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2708-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-2708-pt4.patch,
  gnu/packages/patches/icecat-CVE-2015-2710-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2710-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2710-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2713-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2716.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat): Add patches.
---
 gnu/packages/patches/icecat-CVE-2015-2716.patch | 62 +++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 gnu/packages/patches/icecat-CVE-2015-2716.patch

(limited to 'gnu/packages/patches/icecat-CVE-2015-2716.patch')

diff --git a/gnu/packages/patches/icecat-CVE-2015-2716.patch b/gnu/packages/patches/icecat-CVE-2015-2716.patch
new file mode 100644
index 0000000000..ce036a0921
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-2716.patch
@@ -0,0 +1,62 @@
+From 9dcb4563847cb6e2a8112dca03d2684907f96313 Mon Sep 17 00:00:00 2001
+From: Eric Rahm <erahm@mozilla.com>
+Date: Fri, 10 Apr 2015 15:50:23 -0700
+Subject: [PATCH] Bug 1140537 - Sanity check size calculations. r=peterv,
+ a=abillings
+
+---
+ parser/expat/lib/xmlparse.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
+index 70acf1a..436b735 100644
+--- a/parser/expat/lib/xmlparse.c
++++ b/parser/expat/lib/xmlparse.c
+@@ -1651,6 +1651,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
+ void * XMLCALL
+ XML_GetBuffer(XML_Parser parser, int len)
+ {
++/* BEGIN MOZILLA CHANGE (sanity check len) */
++  if (len < 0) {
++    errorCode = XML_ERROR_NO_MEMORY;
++    return NULL;
++  }
++/* END MOZILLA CHANGE */
+   switch (ps_parsing) {
+   case XML_SUSPENDED:
+     errorCode = XML_ERROR_SUSPENDED;
+@@ -1662,8 +1668,13 @@ XML_GetBuffer(XML_Parser parser, int len)
+   }
+ 
+   if (len > bufferLim - bufferEnd) {
+-    /* FIXME avoid integer overflow */
+     int neededSize = len + (int)(bufferEnd - bufferPtr);
++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
++    if (neededSize < 0) {
++      errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
++/* END MOZILLA CHANGE */
+ #ifdef XML_CONTEXT_BYTES
+     int keep = (int)(bufferPtr - buffer);
+ 
+@@ -1692,7 +1703,15 @@ XML_GetBuffer(XML_Parser parser, int len)
+         bufferSize = INIT_BUFFER_SIZE;
+       do {
+         bufferSize *= 2;
+-      } while (bufferSize < neededSize);
++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
++      } while (bufferSize < neededSize && bufferSize > 0);
++/* END MOZILLA CHANGE */
++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
++      if (bufferSize <= 0) {
++        errorCode = XML_ERROR_NO_MEMORY;
++        return NULL;
++      }
++/* END MOZILLA CHANGE */
+       newBuf = (char *)MALLOC(bufferSize);
+       if (newBuf == 0) {
+         errorCode = XML_ERROR_NO_MEMORY;
+-- 
+2.2.1
+
-- 
cgit v1.2.3