Fix arithmetic overflow in the bundled Expat library.

This is a modified version of the patch from Mozilla (see https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c) which was also applied to Chromium. This version prefers to use the buffer of the correct size instead of just returning an out-of-memory error if the size needed is relatively (but not extraordinarily so, e.g. just slightly more than 64KB in 32 bit builds) big.
2015-07-27 00:42:28 +02:00
parent 8d2772eaf2
commit 74da7cba07
1 changed files with 18 additions and 6 deletions
--- a/src/expat/lib/xmlparse.c
+++ b/src/expat/lib/xmlparse.c
@@ -1688,6 +1688,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
  switch (ps_parsing) {
  case XML_SUSPENDED:
    errorCode = XML_ERROR_SUSPENDED;
@@ -1699,8 +1703,11 @@ XML_GetBuffer(XML_Parser parser, int len)
  }

  if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
    int neededSize = len + (int)(bufferEnd - bufferPtr);
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
 #ifdef XML_CONTEXT_BYTES
    int keep = (int)(bufferPtr - buffer);

@@ -1725,11 +1732,16 @@ XML_GetBuffer(XML_Parser parser, int len)
    else {
      char *newBuf;
      int bufferSize = (int)(bufferLim - bufferPtr);
-      if (bufferSize == 0)
-        bufferSize = INIT_BUFFER_SIZE;
-      do {
-        bufferSize *= 2;
-      } while (bufferSize < neededSize);
+      if (neededSize < INT_MAX/2) {
+        if (bufferSize == 0)
+          bufferSize = INIT_BUFFER_SIZE;
+        do {
+          bufferSize *= 2;
+        } while (bufferSize < neededSize);
+      }
+      else {
+        bufferSize = neededSize;
+      }
      newBuf = (char *)MALLOC(bufferSize);
      if (newBuf == 0) {
        errorCode = XML_ERROR_NO_MEMORY;