32 lines
1.2 KiB
Diff
32 lines
1.2 KiB
Diff
commit 3a4141add108097fa548b196f5950c6663e1578e
|
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
|
Date: Thu Mar 3 13:50:20 2022 +0100
|
|
|
|
CVE-2022-25315
|
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
index f0061c8..45fda00 100644
|
|
--- a/lib/xmlparse.c
|
|
+++ b/lib/xmlparse.c
|
|
@@ -2508,6 +2508,7 @@ storeRawNames(XML_Parser parser)
|
|
while (tag) {
|
|
int bufSize;
|
|
int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
|
|
+ size_t rawNameLen;
|
|
char *rawNameBuf = tag->buf + nameLen;
|
|
/* Stop if already stored. Since m_tagStack is a stack, we can stop
|
|
at the first entry that has already been copied; everything
|
|
@@ -2519,7 +2520,11 @@ storeRawNames(XML_Parser parser)
|
|
/* For re-use purposes we need to ensure that the
|
|
size of tag->buf is a multiple of sizeof(XML_Char).
|
|
*/
|
|
- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
|
|
+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
|
|
+ /* Detect and prevent integer overflow. */
|
|
+ if (rawNameLen > (size_t)INT_MAX - nameLen)
|
|
+ return XML_FALSE;
|
|
+ bufSize = nameLen + (int)rawNameLen;
|
|
if (bufSize > tag->bufEnd - tag->buf) {
|
|
char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
|
|
if (temp == NULL)
|