8edb8caaf8
Fix CVE-2024-45492 integer overflow Fix CVE-2024-45491 Integer Overflow or Wraparound Fix CVE-2024-45490 Negative Length Parsing Vulnerability Resolves: RHEL-57505 Resolves: RHEL-57493 Resolves: RHEL-56751
29 lines
924 B
Diff
29 lines
924 B
Diff
commit 6fd04be3c2f7a2730c85b0eaf061549953161da3
|
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
|
Date: Wed Sep 11 15:12:38 2024 +0200
|
|
|
|
Fix CVE-2024-45492
|
|
|
|
https://github.com/libexpat/libexpat/pull/892
|
|
|
|
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
|
index 6818c4e..698e907 100644
|
|
--- a/expat/lib/xmlparse.c
|
|
+++ b/expat/lib/xmlparse.c
|
|
@@ -7426,6 +7426,15 @@ nextScaffoldPart(XML_Parser parser)
|
|
int next;
|
|
|
|
if (!dtd->scaffIndex) {
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
|
|
+ return -1;
|
|
+ }
|
|
+#endif
|
|
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
|
|
if (!dtd->scaffIndex)
|
|
return -1;
|