diff options
author | Samanta Navarro <ferivoz@riseup.net> | 2022-01-22 17:48:00 +0100 |
---|---|---|
committer | Sebastian Pipping <sebastian@pipping.org> | 2022-01-24 02:35:02 +0100 |
commit | 847a645152f5ebc10ac63b74b604d0c1a79fae40 (patch) | |
tree | cccb1f2b5b4a75be8f7ff1a7e0a437f9d3794c70 | |
parent | 8fb2211e997679ce7aae9d0234983052c1054f62 (diff) | |
download | libexpat-git-847a645152f5ebc10ac63b74b604d0c1a79fae40.tar.gz |
lib: Detect and prevent integer overflow in XML_GetBuffer (CVE-2022-23852)
-rw-r--r-- | expat/lib/xmlparse.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index d54af683..5ce31402 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) { keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); if (keep > XML_CONTEXT_BYTES) keep = XML_CONTEXT_BYTES; + /* Detect and prevent integer overflow */ + if (keep > INT_MAX - neededSize) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } neededSize += keep; #endif /* defined XML_CONTEXT_BYTES */ if (neededSize |