lib: Detect and prevent integer overflow in XML_GetBuffer (CVE-2022-23852)

author: Samanta Navarro <ferivoz@riseup.net> 2022-01-22 17:48:00 +0100
committer: Sebastian Pipping <sebastian@pipping.org> 2022-01-24 02:35:02 +0100
commit: 847a645152f5ebc10ac63b74b604d0c1a79fae40 (patch)
tree: cccb1f2b5b4a75be8f7ff1a7e0a437f9d3794c70
parent: 8fb2211e997679ce7aae9d0234983052c1054f62 (diff)
download: libexpat-git-847a645152f5ebc10ac63b74b604d0c1a79fae40.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index d54af683..5ce31402 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif /* defined XML_CONTEXT_BYTES */
     if (neededSize
author	Samanta Navarro <ferivoz@riseup.net>	2022-01-22 17:48:00 +0100
committer	Sebastian Pipping <sebastian@pipping.org>	2022-01-24 02:35:02 +0100
commit	847a645152f5ebc10ac63b74b604d0c1a79fae40 (patch)
tree	cccb1f2b5b4a75be8f7ff1a7e0a437f9d3794c70
parent	8fb2211e997679ce7aae9d0234983052c1054f62 (diff)
download	libexpat-git-847a645152f5ebc10ac63b74b604d0c1a79fae40.tar.gz