diff options
author | Sebastian Pipping <sebastian@pipping.org> | 2022-01-23 18:17:04 +0100 |
---|---|---|
committer | Sebastian Pipping <sebastian@pipping.org> | 2022-01-24 02:37:47 +0100 |
commit | acf956f14bf79a5e6383a969aaffec98bfbc2e44 (patch) | |
tree | dc56ef4fbf84c1357db509bea6e83cbe5faa4c15 | |
parent | 847a645152f5ebc10ac63b74b604d0c1a79fae40 (diff) | |
download | libexpat-git-acf956f14bf79a5e6383a969aaffec98bfbc2e44.tar.gz |
tests: Cover integer overflow in XML_GetBuffer (CVE-2022-23852)
-rw-r--r-- | expat/tests/runtests.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c index e89e8220..579dad1a 100644 --- a/expat/tests/runtests.c +++ b/expat/tests/runtests.c @@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) { } END_TEST +/* Test for signed integer overflow CVE-2022-23852 */ +#if defined(XML_CONTEXT_BYTES) +START_TEST(test_get_buffer_3_overflow) { + XML_Parser parser = XML_ParserCreate(NULL); + assert(parser != NULL); + + const char *const text = "\n"; + const int expectedKeepValue = (int)strlen(text); + + // After this call, variable "keep" in XML_GetBuffer will + // have value expectedKeepValue + if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) + == XML_STATUS_ERROR) + xml_failure(parser); + + assert(expectedKeepValue > 0); + if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) + fail("enlarging buffer not failed"); + + XML_ParserFree(parser); +} +END_TEST +#endif // defined(XML_CONTEXT_BYTES) + /* Test position information macros */ START_TEST(test_byte_info_at_end) { const char *text = "<doc></doc>"; @@ -11731,6 +11755,9 @@ make_suite(void) { tcase_add_test(tc_basic, test_empty_parse); tcase_add_test(tc_basic, test_get_buffer_1); tcase_add_test(tc_basic, test_get_buffer_2); +#if defined(XML_CONTEXT_BYTES) + tcase_add_test(tc_basic, test_get_buffer_3_overflow); +#endif tcase_add_test(tc_basic, test_byte_info_at_end); tcase_add_test(tc_basic, test_byte_info_at_error); tcase_add_test(tc_basic, test_byte_info_at_cdata); |