[libxml2] Fix overflow check in SAX2.c
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix overflow check in SAX2.c
- Date: Thu, 1 Sep 2022 00:40:06 +0000 (UTC)
commit aeb69fd3575a33eb2ffded18a444d8945bcbd741
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Thu Sep 1 02:33:16 2022 +0200
Fix overflow check in SAX2.c
SAX2.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
---
diff --git a/SAX2.c b/SAX2.c
index 1cf0e8d8..6f46cad3 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -32,11 +32,6 @@
#include "private/parser.h"
#include "private/tree.h"
-/* Define SIZE_T_MAX unless defined through <limits.h>. */
-#ifndef SIZE_T_MAX
-# define SIZE_T_MAX ((size_t)-1)
-#endif /* !SIZE_T_MAX */
-
/* #define DEBUG_SAX2 */
/* #define DEBUG_SAX2_TREE */
@@ -2600,22 +2595,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len,
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL");
return;
}
- if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) &&
+ if (ctxt->nodelen > INT_MAX - len) {
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+ return;
+ }
+ if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node");
return;
}
- if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
- (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
- xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
- return;
- }
if (ctxt->nodelen + len >= ctxt->nodemem) {
xmlChar *newbuf;
- size_t size;
+ int size;
- size = ctxt->nodemem + len;
- size *= 2;
+ size = ctxt->nodemem > INT_MAX - len ?
+ INT_MAX :
+ ctxt->nodemem + len;
+ size = size > INT_MAX / 2 ? INT_MAX : size * 2;
newbuf = (xmlChar *) xmlRealloc(lastChild->content,size);
if (newbuf == NULL) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters");
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
