From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 25 Feb 2022 13:07:07 -0500 Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827) Backport fixes from https://github.com/libexpat/libexpat/pull/539 Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602 --- lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c index 48adfb3..16ab82a 100644 --- a/lib/expat/xmlparse/xmlparse.c +++ b/lib/expat/xmlparse/xmlparse.c @@ -19,6 +19,7 @@ See the file copying.txt for copying permission. #include #include /* UINT_MAX */ #include /* time() */ +#include #include "xmlrpc_config.h" #include "c_util.h" @@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser, ; if (namespaceSeparator) len++; + if (namespaceSeparator && (uri[len] == namespaceSeparator)) { + return XML_ERROR_SYNTAX; + } if (freeBindingList) { b = freeBindingList; if (len > b->uriAlloc) { @@ -2116,10 +2120,32 @@ storeAtts(XML_Parser const xmlParserP, } /* get the attributes from the tokenizer */ n = XmlGetAttributes(enc, attStr, attsSize, atts); + + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - nDefaultAtts) { + return XML_ERROR_NO_MEMORY; + } + if (n + nDefaultAtts > attsSize) { int oldAttsSize = attsSize; ATTRIBUTE *temp; + /* Detect and prevent integer overflow */ + if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) + || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { + return XML_ERROR_NO_MEMORY; + } attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { + attsSize = oldAttsSize; + return XML_ERROR_NO_MEMORY; + } +#endif temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE)); if (!temp) return XML_ERROR_NO_MEMORY; @@ -2297,6 +2323,20 @@ storeAtts(XML_Parser const xmlParserP, n = i + binding->uriLen; if (n > binding->uriAlloc) { TAG *p; + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char)); if (!uri) return XML_ERROR_NO_MEMORY; -- 2.31.1