diff options
author | Sebastian Pipping <sebastian@pipping.org> | 2022-01-26 23:16:10 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-26 23:16:10 +0100 |
commit | 5c168279c5ad4668e5e48fe13374fe7a7de4b573 (patch) | |
tree | aafaa25594cf036b1b0d10c8ab2d8cbe1fa45d53 | |
parent | 5f100ffa78b74da8020b71d1582a8979193c1359 (diff) | |
parent | 6e3449594fb2f61c92fc561f51f82196fdd15d63 (diff) | |
download | libexpat-git-5c168279c5ad4668e5e48fe13374fe7a7de4b573.tar.gz |
Merge pull request #551 from libexpat/prevent-doprolog-overflow
[CVE-2022-23990] lib: Prevent integer overflow in function doProlog
-rw-r--r-- | expat/Changes | 6 | ||||
-rw-r--r-- | expat/lib/xmlparse.c | 10 |
2 files changed, 14 insertions, 2 deletions
diff --git a/expat/Changes b/expat/Changes index 5ff5da5e..ec1f7604 100644 --- a/expat/Changes +++ b/expat/Changes @@ -10,12 +10,18 @@ Release x.x.x xxx xxxxxxx xx xxxx for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more. + #551 CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. Bug fixes: #544 #545 xmlwf: Fix a memory leak on output file opening error Special thanks to: hwt0415 + Roland Illig Samanta Navarro and Clang LeakSan and the Clang team diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index 5ce31402..d1d17005 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, if (dtd->in_eldecl) { ELEMENT_TYPE *el; const XML_Char *name; - int nameLen; + size_t nameLen; const char *nxt = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); int myindex = nextScaffoldPart(parser); @@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, nameLen = 0; for (; name[nameLen++];) ; - dtd->contentStringLen += nameLen; + + /* Detect and prevent integer overflow */ + if (nameLen > UINT_MAX - dtd->contentStringLen) { + return XML_ERROR_NO_MEMORY; + } + + dtd->contentStringLen += (unsigned)nameLen; if (parser->m_elementDeclHandler) handleDefault = XML_FALSE; } |