packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libxml2/backport-Fix-overflow-check-in-SAX2.c.patch
zhuofeng feb7e8218d backport upstream patches 
(cherry picked from commit ec64ed27a9add0f7a9bf6ee351ad67302a60c383)
2023-06-20 11:16:46 +08:00

64 lines
2.1 KiB
Diff
Raw Permalink Blame History

From f5b31e49bcababb8da09c2697e24d0ba80a261b6 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 1 Sep 2022 02:33:16 +0200
Subject: [PATCH] Fix overflow check in SAX2.c
Reference:https://github.com/GNOME/libxml2/commit/aeb69fd3575a33eb2ffded18a444d8945bcbd741
Conflict:SAX2.c
---
SAX2.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/SAX2.c b/SAX2.c
index 0319246..9801393 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -28,11 +28,6 @@
#include <libxml/HTMLtree.h>
#include <libxml/globals.h>
-/* Define SIZE_T_MAX unless defined through <limits.h>. */
-#ifndef SIZE_T_MAX
-# define SIZE_T_MAX ((size_t)-1)
-#endif /* !SIZE_T_MAX */
-
/* #define DEBUG_SAX2 */
/* #define DEBUG_SAX2_TREE */
@@ -2576,22 +2571,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len,
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL");
return;
}
- if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) &&
+ if (ctxt->nodelen > INT_MAX - len) {
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+ return;
+ }
+ if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node");
return;
}
- if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
- (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
- xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
- return;
- }
if (ctxt->nodelen + len >= ctxt->nodemem) {
xmlChar *newbuf;
- size_t size;
+ int size;
- size = ctxt->nodemem + len;
- size *= 2;
+ size = ctxt->nodemem > INT_MAX - len ?
+ INT_MAX :
+ ctxt->nodemem + len;
+ size = size > INT_MAX / 2 ? INT_MAX : size * 2;
newbuf = (xmlChar *) xmlRealloc(lastChild->content,size);
if (newbuf == NULL) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters");
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink