[Python-checkins] cpython (merge 3.5 -> default): merge 3.5 (#26556)
benjamin.peterson
python-checkins at python.org
Sat Jun 11 16:35:38 EDT 2016
https://hg.python.org/cpython/rev/77353f0106cc
changeset: 101894:77353f0106cc
parent: 101889:9e99a96d6ac3
parent: 101893:f3c36afdedae
user: Benjamin Peterson <benjamin at python.org>
date: Sat Jun 11 13:33:58 2016 -0700
summary:
merge 3.5 (#26556)
files:
Misc/NEWS | 2 ++
Modules/expat/expat.h | 2 +-
Modules/expat/xmlparse.c | 26 ++++++++++++++++++++++----
Modules/expat/xmltok.c | 2 +-
4 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -41,6 +41,8 @@
- Issue #20508: Improve exception message of IPv{4,6}Network.__getitem__.
Patch by Gareth Rees.
+- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283.
+
- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
Oststrom
diff --git a/Modules/expat/expat.h b/Modules/expat/expat.h
--- a/Modules/expat/expat.h
+++ b/Modules/expat/expat.h
@@ -1040,7 +1040,7 @@
*/
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1
-#define XML_MICRO_VERSION 0
+#define XML_MICRO_VERSION 1
#ifdef __cplusplus
}
diff --git a/Modules/expat/xmlparse.c b/Modules/expat/xmlparse.c
--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -1550,7 +1550,7 @@
else if (bufferPtr == bufferEnd) {
const char *end;
int nLeftOver;
- enum XML_Error result;
+ enum XML_Status result;
parseEndByteIndex += len;
positionPtr = s;
ps_finalBuffer = (XML_Bool)isFinal;
@@ -1678,6 +1678,10 @@
void * XMLCALL
XML_GetBuffer(XML_Parser parser, int len)
{
+ if (len < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
switch (ps_parsing) {
case XML_SUSPENDED:
errorCode = XML_ERROR_SUSPENDED;
@@ -1689,10 +1693,16 @@
}
if (len > bufferLim - bufferEnd) {
- /* FIXME avoid integer overflow */
+#ifdef XML_CONTEXT_BYTES
+ int keep;
+#endif
int neededSize = len + (int)(bufferEnd - bufferPtr);
+ if (neededSize < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
#ifdef XML_CONTEXT_BYTES
- int keep = (int)(bufferPtr - buffer);
+ keep = (int)(bufferPtr - buffer);
if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES;
@@ -1719,7 +1729,11 @@
bufferSize = INIT_BUFFER_SIZE;
do {
bufferSize *= 2;
- } while (bufferSize < neededSize);
+ } while (bufferSize < neededSize && bufferSize > 0);
+ if (bufferSize <= 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
newBuf = (char *)MALLOC(bufferSize);
if (newBuf == 0) {
errorCode = XML_ERROR_NO_MEMORY;
@@ -2911,6 +2925,8 @@
unsigned long uriHash = hash_secret_salt;
((XML_Char *)s)[-1] = 0; /* clear flag */
id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
+ if (!id || !id->prefix)
+ return XML_ERROR_NO_MEMORY;
b = id->prefix->binding;
if (!b)
return XML_ERROR_UNBOUND_PREFIX;
@@ -5475,6 +5491,8 @@
return NULL;
id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
sizeof(PREFIX));
+ if (!id->prefix)
+ return NULL;
if (id->prefix->name == poolStart(&dtd->pool))
poolFinish(&dtd->pool);
else
diff --git a/Modules/expat/xmltok.c b/Modules/expat/xmltok.c
--- a/Modules/expat/xmltok.c
+++ b/Modules/expat/xmltok.c
@@ -1584,7 +1584,7 @@
if (ptr[0] == '\0') {
/* 0 isn't a legal data character. Furthermore a document
entity can only start with ASCII characters. So the only
- way this can fail to be big-endian UTF-16 is if it is an
+ way this can fail to be big-endian UTF-16 if it it's an
external parsed general entity that's labelled as
UTF-16LE.
*/
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list