From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 28 Feb 2022 10:43:23 -0500 Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog (CVE-2021-46143) Backported from upstream https://github.com/libexpat/libexpat/pull/538 Resolves: #2058560 --- lib/expat/xmlparse/xmlparse.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c index 16ab82a..b9aa927 100644 --- a/lib/expat/xmlparse/xmlparse.c +++ b/lib/expat/xmlparse/xmlparse.c @@ -3991,6 +3991,11 @@ doProlog(XML_Parser const xmlParserP, case XML_ROLE_GROUP_OPEN: if (prologState.level >= groupSize) { if (groupSize) { + /* Detect and prevent integer overflow */ + if (groupSize > (unsigned int)(-1) / 2u) { + *errorCodeP = XML_ERROR_NO_MEMORY; + return; + } char *temp = realloc(groupConnector, groupSize *= 2); if (!temp) { *errorCodeP = XML_ERROR_NO_MEMORY; -- 2.31.1