expat/SOURCES/expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch
2022-03-22 14:29:38 +00:00

32 lines
1.2 KiB
Diff

commit 3a4141add108097fa548b196f5950c6663e1578e
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Thu Mar 3 13:50:20 2022 +0100
CVE-2022-25315
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index f0061c8..45fda00 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2508,6 +2508,7 @@ storeRawNames(XML_Parser parser)
while (tag) {
int bufSize;
int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
+ size_t rawNameLen;
char *rawNameBuf = tag->buf + nameLen;
/* Stop if already stored. Since m_tagStack is a stack, we can stop
at the first entry that has already been copied; everything
@@ -2519,7 +2520,11 @@ storeRawNames(XML_Parser parser)
/* For re-use purposes we need to ensure that the
size of tag->buf is a multiple of sizeof(XML_Char).
*/
- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
+ /* Detect and prevent integer overflow. */
+ if (rawNameLen > (size_t)INT_MAX - nameLen)
+ return XML_FALSE;
+ bufSize = nameLen + (int)rawNameLen;
if (bufSize > tag->bufEnd - tag->buf) {
char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
if (temp == NULL)