[libxml2] Unsigned addition may overflow in xmlMallocAtomicLoc()

From: Daniel Veillard <veillard src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Unsigned addition may overflow in xmlMallocAtomicLoc()
Date: Mon, 23 May 2016 01:25:17 +0000 (UTC)

commit 886529b56ccbf381d9a58c64b4d016a9d05e2c25
Author: David Kilzer <ddkilzer apple com>
Date:   Tue Apr 5 12:05:25 2016 -0700

    Unsigned addition may overflow in xmlMallocAtomicLoc()
    
    For https://bugzilla.gnome.org/show_bug.cgi?id=764616
    
    This code is used only if turning memory allocation debug
    in configure with --with-mem-debug, which should never happen
    in real life, so not a serious issue.
    
    * xmlmemory.c:
    (MAX_SIZE_T): Macro to define maximum value of size_t.
    (xmlMallocAtomicLoc): Add bounds check.  Fix description and use
    the correct function name in another error message.

 xmlmemory.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)
---
diff --git a/xmlmemory.c b/xmlmemory.c
index f24fd6d..f08c8c3 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -109,6 +109,7 @@ typedef struct memnod {
 #define RESERVE_SIZE (((HDR_SIZE + (ALIGN_SIZE-1)) \
                      / ALIGN_SIZE ) * ALIGN_SIZE)
 
+#define MAX_SIZE_T ((size_t)-1)
 
 #define CLIENT_2_HDR(a) ((MEMHDR *) (((char *) (a)) - RESERVE_SIZE))
 #define HDR_2_CLIENT(a)    ((void *) (((char *) (a)) + RESERVE_SIZE))
@@ -217,7 +218,7 @@ xmlMallocLoc(size_t size, const char * file, int line)
 
 /**
  * xmlMallocAtomicLoc:
- * @size:  an int specifying the size in byte to allocate.
+ * @size:  an unsigned int specifying the size in byte to allocate.
  * @file:  the file name or NULL
  * @line:  the line number
  *
@@ -240,11 +241,18 @@ xmlMallocAtomicLoc(size_t size, const char * file, int line)
 
     TEST_POINT
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+       xmlGenericError(xmlGenericErrorContext,
+               "xmlMallocAtomicLoc : Unsigned overflow prevented\n");
+       xmlMemoryDump();
+       return(NULL);
+    }
+
     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
 
     if (!p) {
        xmlGenericError(xmlGenericErrorContext,
-               "xmlMallocLoc : Out of free space\n");
+               "xmlMallocAtomicLoc : Out of free space\n");
        xmlMemoryDump();
        return(NULL);
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]