153aa9179Sopenharmony_ciFrom f5b31e49bcababb8da09c2697e24d0ba80a261b6 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Thu, 1 Sep 2022 02:33:16 +0200 453aa9179Sopenharmony_ciSubject: [PATCH] Fix overflow check in SAX2.c 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/aeb69fd3575a33eb2ffded18a444d8945bcbd741 753aa9179Sopenharmony_ciConflict:SAX2.c 853aa9179Sopenharmony_ci--- 953aa9179Sopenharmony_ci SAX2.c | 24 ++++++++++-------------- 1053aa9179Sopenharmony_ci 1 file changed, 10 insertions(+), 14 deletions(-) 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_cidiff --git a/SAX2.c b/SAX2.c 1353aa9179Sopenharmony_ciindex 0319246..9801393 100644 1453aa9179Sopenharmony_ci--- a/SAX2.c 1553aa9179Sopenharmony_ci+++ b/SAX2.c 1653aa9179Sopenharmony_ci@@ -28,11 +28,6 @@ 1753aa9179Sopenharmony_ci #include <libxml/HTMLtree.h> 1853aa9179Sopenharmony_ci #include <libxml/globals.h> 1953aa9179Sopenharmony_ci 2053aa9179Sopenharmony_ci-/* Define SIZE_T_MAX unless defined through <limits.h>. */ 2153aa9179Sopenharmony_ci-#ifndef SIZE_T_MAX 2253aa9179Sopenharmony_ci-# define SIZE_T_MAX ((size_t)-1) 2353aa9179Sopenharmony_ci-#endif /* !SIZE_T_MAX */ 2453aa9179Sopenharmony_ci- 2553aa9179Sopenharmony_ci /* #define DEBUG_SAX2 */ 2653aa9179Sopenharmony_ci /* #define DEBUG_SAX2_TREE */ 2753aa9179Sopenharmony_ci 2853aa9179Sopenharmony_ci@@ -2576,22 +2571,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len, 2953aa9179Sopenharmony_ci xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); 3053aa9179Sopenharmony_ci return; 3153aa9179Sopenharmony_ci } 3253aa9179Sopenharmony_ci- if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && 3353aa9179Sopenharmony_ci+ if (ctxt->nodelen > INT_MAX - len) { 3453aa9179Sopenharmony_ci+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); 3553aa9179Sopenharmony_ci+ return; 3653aa9179Sopenharmony_ci+ } 3753aa9179Sopenharmony_ci+ if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) && 3853aa9179Sopenharmony_ci ((ctxt->options & XML_PARSE_HUGE) == 0)) { 3953aa9179Sopenharmony_ci xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); 4053aa9179Sopenharmony_ci return; 4153aa9179Sopenharmony_ci } 4253aa9179Sopenharmony_ci- if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 4353aa9179Sopenharmony_ci- (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { 4453aa9179Sopenharmony_ci- xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); 4553aa9179Sopenharmony_ci- return; 4653aa9179Sopenharmony_ci- } 4753aa9179Sopenharmony_ci if (ctxt->nodelen + len >= ctxt->nodemem) { 4853aa9179Sopenharmony_ci xmlChar *newbuf; 4953aa9179Sopenharmony_ci- size_t size; 5053aa9179Sopenharmony_ci+ int size; 5153aa9179Sopenharmony_ci 5253aa9179Sopenharmony_ci- size = ctxt->nodemem + len; 5353aa9179Sopenharmony_ci- size *= 2; 5453aa9179Sopenharmony_ci+ size = ctxt->nodemem > INT_MAX - len ? 5553aa9179Sopenharmony_ci+ INT_MAX : 5653aa9179Sopenharmony_ci+ ctxt->nodemem + len; 5753aa9179Sopenharmony_ci+ size = size > INT_MAX / 2 ? INT_MAX : size * 2; 5853aa9179Sopenharmony_ci newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); 5953aa9179Sopenharmony_ci if (newbuf == NULL) { 6053aa9179Sopenharmony_ci xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters"); 6153aa9179Sopenharmony_ci-- 6253aa9179Sopenharmony_ci2.27.0 6353aa9179Sopenharmony_ci 64