From f5b31e49bcababb8da09c2697e24d0ba80a261b6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 1 Sep 2022 02:33:16 +0200 Subject: [PATCH] Fix overflow check in SAX2.c Reference:https://github.com/GNOME/libxml2/commit/aeb69fd3575a33eb2ffded18a444d8945bcbd741 Conflict:SAX2.c --- SAX2.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/SAX2.c b/SAX2.c index 0319246..9801393 100644 --- a/SAX2.c +++ b/SAX2.c @@ -28,11 +28,6 @@ #include #include -/* Define SIZE_T_MAX unless defined through . */ -#ifndef SIZE_T_MAX -# define SIZE_T_MAX ((size_t)-1) -#endif /* !SIZE_T_MAX */ - /* #define DEBUG_SAX2 */ /* #define DEBUG_SAX2_TREE */ @@ -2576,22 +2571,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len, xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); return; } - if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && + if (ctxt->nodelen > INT_MAX - len) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); + return; + } + if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) && ((ctxt->options & XML_PARSE_HUGE) == 0)) { xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); return; } - if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || - (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); - return; - } if (ctxt->nodelen + len >= ctxt->nodemem) { xmlChar *newbuf; - size_t size; + int size; - size = ctxt->nodemem + len; - size *= 2; + size = ctxt->nodemem > INT_MAX - len ? + INT_MAX : + ctxt->nodemem + len; + size = size > INT_MAX / 2 ? INT_MAX : size * 2; newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); if (newbuf == NULL) { xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters"); -- 2.27.0