diff options
author | Sebastian Pipping <sebastian@pipping.org> | 2022-01-10 18:01:11 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-10 18:01:11 +0100 |
commit | 82c11af9d3dafc1b086a15efecd6ec07b6e13613 (patch) | |
tree | c197797f03fa6b60c858382ac57801f74c462723 | |
parent | b6b432bad559b7dcd60ed3da36db3881abb08457 (diff) | |
parent | f488b072b75d090f76aa61146ddf743813e9b81b (diff) | |
download | libexpat-git-82c11af9d3dafc1b086a15efecd6ec07b6e13613.tar.gz |
Merge pull request #538 from libexpat/issue-532-integer-overflow
[CVE-2021-46143] lib: Prevent integer overflow on m_groupSize in function doProlog (fixes #532)
-rw-r--r-- | expat/Changes | 6 | ||||
-rw-r--r-- | expat/lib/xmlparse.c | 15 |
2 files changed, 21 insertions, 0 deletions
diff --git a/expat/Changes b/expat/Changes index 4d4de0bb..98d4f53c 100644 --- a/expat/Changes +++ b/expat/Changes @@ -16,6 +16,10 @@ Release x.x.x xxx xxxxxxxx xx xxxx where XML_ParserCreateNS is used to create the parser (which needs argument "-n" when running xmlwf). Impact is denial of service, or more. + #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow + on variable m_groupSize in function doProlog leading + to realloc acting as free. + Impact is denial of service or more. Other changes: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 @@ -27,11 +31,13 @@ Release x.x.x xxx xxxxxxxx xx xxxx #536 CI: Check for realistic minimum CMake version Special thanks to: + An anonymous whitehat Christopher Degawa J. Peter Mugaas Tyson Smith and GCC Farm Project + Trend Micro Zero Day Initiative Release 2.4.2 Sun December 19 2021 Other changes: diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index b47c31b0..8f243126 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, if (parser->m_prologState.level >= parser->m_groupSize) { if (parser->m_groupSize) { { + /* Detect and prevent integer overflow */ + if (parser->m_groupSize > (unsigned int)(-1) / 2u) { + return XML_ERROR_NO_MEMORY; + } + char *const new_connector = (char *)REALLOC( parser, parser->m_groupConnector, parser->m_groupSize *= 2); if (new_connector == NULL) { @@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, } if (dtd->scaffIndex) { + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { + return XML_ERROR_NO_MEMORY; + } +#endif + int *const new_scaff_index = (int *)REALLOC( parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); if (new_scaff_index == NULL) |