diff options
author | Sebastian Pipping <sebastian@pipping.org> | 2022-02-18 18:00:24 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-18 18:00:24 +0100 |
commit | 89214940efd13e3b83fa078fd70eb4dbdc04c4a5 (patch) | |
tree | 74e2ce98f9023453e85e4c24455f02f8f3bafe0c | |
parent | bbdfcfef4747d2d66e81c19f4a55e29e291aa171 (diff) | |
parent | eb0362808b4f9f1e2345a0cf203b8cc196d776d9 (diff) | |
download | libexpat-git-89214940efd13e3b83fa078fd70eb4dbdc04c4a5.tar.gz |
Merge pull request #559 from ferivoz/rawnames
[CVE-2022-25315] lib: Prevent integer overflow in storeRawNames
-rw-r--r-- | expat/lib/xmlparse.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index ee9a114c..8bd5b077 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) { while (tag) { int bufSize; int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); + size_t rawNameLen; char *rawNameBuf = tag->buf + nameLen; /* Stop if already stored. Since m_tagStack is a stack, we can stop at the first entry that has already been copied; everything @@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) { /* For re-use purposes we need to ensure that the size of tag->buf is a multiple of sizeof(XML_Char). */ - bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); + rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); + /* Detect and prevent integer overflow. */ + if (rawNameLen > (size_t)INT_MAX - nameLen) + return XML_FALSE; + bufSize = nameLen + (int)rawNameLen; if (bufSize > tag->bufEnd - tag->buf) { char *temp = (char *)REALLOC(parser, tag->buf, bufSize); if (temp == NULL) |