1From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001 2From: Sebastian Pipping <sebastian@pipping.org> 3Date: Sun, 23 Jan 2022 18:17:04 +0100 4Subject: [PATCH] tests: Cover integer overflow in XML_GetBuffer 5 (CVE-2022-23852) 6 7--- 8 tests/runtests.c | 27 +++++++++++++++++++++++++++ 9 1 file changed, 27 insertions(+) 10 11diff --git a/tests/runtests.c b/tests/runtests.c 12index e89e822..579dad1 100644 13--- a/tests/runtests.c 14+++ b/tests/runtests.c 15@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) { 16 } 17 END_TEST 18 19+/* Test for signed integer overflow CVE-2022-23852 */ 20+#if defined(XML_CONTEXT_BYTES) 21+START_TEST(test_get_buffer_3_overflow) { 22+ XML_Parser parser = XML_ParserCreate(NULL); 23+ assert(parser != NULL); 24+ 25+ const char *const text = "\n"; 26+ const int expectedKeepValue = (int)strlen(text); 27+ 28+ // After this call, variable "keep" in XML_GetBuffer will 29+ // have value expectedKeepValue 30+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) 31+ == XML_STATUS_ERROR) 32+ xml_failure(parser); 33+ 34+ assert(expectedKeepValue > 0); 35+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) 36+ fail("enlarging buffer not failed"); 37+ 38+ XML_ParserFree(parser); 39+} 40+END_TEST 41+#endif // defined(XML_CONTEXT_BYTES) 42+ 43 /* Test position information macros */ 44 START_TEST(test_byte_info_at_end) { 45 const char *text = "<doc></doc>"; 46@@ -11731,6 +11755,9 @@ make_suite(void) { 47 tcase_add_test(tc_basic, test_empty_parse); 48 tcase_add_test(tc_basic, test_get_buffer_1); 49 tcase_add_test(tc_basic, test_get_buffer_2); 50+#if defined(XML_CONTEXT_BYTES) 51+ tcase_add_test(tc_basic, test_get_buffer_3_overflow); 52+#endif 53 tcase_add_test(tc_basic, test_byte_info_at_end); 54 tcase_add_test(tc_basic, test_byte_info_at_error); 55 tcase_add_test(tc_basic, test_byte_info_at_cdata); 56-- 571.8.3.1 58 59