diff options
author | Sebastian Pipping <sebastian@pipping.org> | 2022-01-26 02:36:43 +0100 |
---|---|---|
committer | Sebastian Pipping <sebastian@pipping.org> | 2022-01-26 19:33:12 +0100 |
commit | ede41d1e186ed2aba88a06e84cac839b770af3a1 (patch) | |
tree | 743f34aafc155aa21fe86d70262a1f3864b5a7fa | |
parent | 5f100ffa78b74da8020b71d1582a8979193c1359 (diff) | |
download | libexpat-git-ede41d1e186ed2aba88a06e84cac839b770af3a1.tar.gz |
lib: Prevent integer overflow in doProlog (CVE-2022-23990)
The change from "int nameLen" to "size_t nameLen"
addresses the overflow on "nameLen++" in code
"for (; name[nameLen++];)" right above the second
change in the patch.
-rw-r--r-- | expat/lib/xmlparse.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index 5ce31402..d1d17005 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, if (dtd->in_eldecl) { ELEMENT_TYPE *el; const XML_Char *name; - int nameLen; + size_t nameLen; const char *nxt = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); int myindex = nextScaffoldPart(parser); @@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, nameLen = 0; for (; name[nameLen++];) ; - dtd->contentStringLen += nameLen; + + /* Detect and prevent integer overflow */ + if (nameLen > UINT_MAX - dtd->contentStringLen) { + return XML_ERROR_NO_MEMORY; + } + + dtd->contentStringLen += (unsigned)nameLen; if (parser->m_elementDeclHandler) handleDefault = XML_FALSE; } |