Package: xerces-c / 3.1.1-5.1+deb8u4

CVE-2015-0252.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Description: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
 The Xerces-C XML parser mishandles certain kinds of malformed input
 documents, resulting in a segmentation fault during a parse operation.
Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1667870
Bug-Debian: https://bugs.debian.org/780827
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-03-12
Applied-Upstream: 3.1.2

--- a/src/xercesc/internal/XMLReader.cpp
+++ b/src/xercesc/internal/XMLReader.cpp
@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
 
             while (fRawBufIndex < fRawBytesAvail)
             {
+                // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
+                if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
+                    ThrowXMLwithMemMgr1
+                    (
+                        TranscodingException
+                        , XMLExcepts::Reader_CouldNotDecodeFirstLine
+                        , fSystemId
+                        , fMemoryManager
+                    );
+                }
+
                 // Get out the current 4 byte value and inc our raw buf index
                 UCS4Ch curVal = *asUCS++;
                 fRawBufIndex += sizeof(UCS4Ch);
@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
 
             while (fRawBufIndex < fRawBytesAvail)
             {
+                // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
+                if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
+                    ThrowXMLwithMemMgr1
+                    (
+                        TranscodingException
+                        , XMLExcepts::Reader_CouldNotDecodeFirstLine
+                        , fSystemId
+                        , fMemoryManager
+                    );
+                }
+
                 // Get out the current 2 byte value
                 UTF16Ch curVal = *asUTF16++;
                 fRawBufIndex += sizeof(UTF16Ch);
@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
 //
 void XMLReader::refreshRawBuffer()
 {
+    // Security fix: make sure we don't underflow on the subtraction.
+    if (fRawBufIndex > fRawBytesAvail) {
+        ThrowXMLwithMemMgr1
+        (
+            RuntimeException
+            , XMLExcepts::Str_StartIndexPastEnd
+            , fSystemId
+            , fMemoryManager
+        );
+    }
+
     //
     //  If there are any bytes left, move them down to the start. There
     //  should only ever be (max bytes per char - 1) at the most.