1From f5b31e49bcababb8da09c2697e24d0ba80a261b6 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Thu, 1 Sep 2022 02:33:16 +0200 4Subject: [PATCH] Fix overflow check in SAX2.c 5 6Reference:https://github.com/GNOME/libxml2/commit/aeb69fd3575a33eb2ffded18a444d8945bcbd741 7Conflict:SAX2.c 8--- 9 SAX2.c | 24 ++++++++++-------------- 10 1 file changed, 10 insertions(+), 14 deletions(-) 11 12diff --git a/SAX2.c b/SAX2.c 13index 0319246..9801393 100644 14--- a/SAX2.c 15+++ b/SAX2.c 16@@ -28,11 +28,6 @@ 17 #include <libxml/HTMLtree.h> 18 #include <libxml/globals.h> 19 20-/* Define SIZE_T_MAX unless defined through <limits.h>. */ 21-#ifndef SIZE_T_MAX 22-# define SIZE_T_MAX ((size_t)-1) 23-#endif /* !SIZE_T_MAX */ 24- 25 /* #define DEBUG_SAX2 */ 26 /* #define DEBUG_SAX2_TREE */ 27 28@@ -2576,22 +2571,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len, 29 xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); 30 return; 31 } 32- if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && 33+ if (ctxt->nodelen > INT_MAX - len) { 34+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); 35+ return; 36+ } 37+ if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) && 38 ((ctxt->options & XML_PARSE_HUGE) == 0)) { 39 xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); 40 return; 41 } 42- if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 43- (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { 44- xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); 45- return; 46- } 47 if (ctxt->nodelen + len >= ctxt->nodemem) { 48 xmlChar *newbuf; 49- size_t size; 50+ int size; 51 52- size = ctxt->nodemem + len; 53- size *= 2; 54+ size = ctxt->nodemem > INT_MAX - len ? 55+ INT_MAX : 56+ ctxt->nodemem + len; 57+ size = size > INT_MAX / 2 ? INT_MAX : size * 2; 58 newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); 59 if (newbuf == NULL) { 60 xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters"); 61-- 622.27.0 63 64