From 74da7cba072df4c8933532812b468da571358b23 Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Mon, 27 Jul 2015 00:42:28 +0200 Subject: [PATCH] Fix arithmetic overflow in the bundled Expat library. This is a modified version of the patch from Mozilla (see https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c) which was also applied to Chromium. This version prefers to use the buffer of the correct size instead of just returning an out-of-memory error if the size needed is relatively (but not extraordinarily so, e.g. just slightly more than 64KB in 32 bit builds) big. --- src/expat/lib/xmlparse.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/expat/lib/xmlparse.c b/src/expat/lib/xmlparse.c index b14700eb75..e3d77a5a26 100644 --- a/src/expat/lib/xmlparse.c +++ b/src/expat/lib/xmlparse.c @@ -1688,6 +1688,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1699,8 +1703,11 @@ XML_GetBuffer(XML_Parser parser, int len) } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1725,11 +1732,16 @@ XML_GetBuffer(XML_Parser parser, int len) else { char *newBuf; int bufferSize = (int)(bufferLim - bufferPtr); - if (bufferSize == 0) - bufferSize = INIT_BUFFER_SIZE; - do { - bufferSize *= 2; - } while (bufferSize < neededSize); + if (neededSize < INT_MAX/2) { + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; + } while (bufferSize < neededSize); + } + else { + bufferSize = neededSize; + } newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY;