Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
Date: 2009-09-16
Initial Package Version: 2.0.1
Upstream Status: Applied
Origin: Upstream
Description: Fixes for CVE-2009-2625 (infinite loop and application hang via malformed XML).
 The vulnerability was raised  against Apache Xerces2 Java, but see e.g.
 https://bugs.gentoo.org/show_bug.cgi?id=280615


diff -Naur expat-2.0.1.orig/lib/xmlparse.c expat-2.0.1/lib/xmlparse.c
--- expat-2.0.1.orig/lib/xmlparse.c	2007-05-08 03:25:35.000000000 +0100
+++ expat-2.0.1/lib/xmlparse.c	2009-09-16 14:20:02.000000000 +0100
@@ -2563,6 +2563,8 @@
                               (int)(dataPtr - (ICHAR *)dataBuf));
               if (s == next)
                 break;
+              if (ps_parsing == XML_FINISHED || ps_parsing == XML_SUSPENDED)
+                break;
               *eventPP = s;
             }
           }
diff -Naur expat-2.0.1.orig/lib/xmltok_impl.c expat-2.0.1/lib/xmltok_impl.c
--- expat-2.0.1.orig/lib/xmltok_impl.c	2006-11-26 17:34:46.000000000 +0000
+++ expat-2.0.1/lib/xmltok_impl.c	2009-09-16 14:20:05.000000000 +0100
@@ -1744,7 +1744,7 @@
                        const char *end,
                        POSITION *pos)
 {
-  while (ptr != end) {
+  while (ptr < end) {
     switch (BYTE_TYPE(enc, ptr)) {
 #define LEAD_CASE(n) \
     case BT_LEAD ## n: \