Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix two integer overflows

Browse Source
This commit is contained in:
Gustavo Grieco
2016-05-02 00:35:34 +02:00
committed by Vadim Zeitlin
parent 0f0c5aa731
commit a4d77355e3
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/expat/lib/xmlparse.c
View File

@@ -6265,8 +6265,13 @@ poolGrow(STRING_POOL *pool)
} }
} }
if (pool->blocks && pool->start == pool->blocks->s) { if (pool->blocks && pool->start == pool->blocks->s) {
BLOCK *temp;
int blockSize = (int)(pool->end - pool->start)*2; int blockSize = (int)(pool->end - pool->start)*2;
BLOCK *temp = (BLOCK *)
if (blockSize < 0)
return XML_FALSE;
temp = (BLOCK *)
pool->mem->realloc_fcn(pool->blocks, pool->mem->realloc_fcn(pool->blocks,
(offsetof(BLOCK, s) (offsetof(BLOCK, s)
+ blockSize * sizeof(XML_Char))); + blockSize * sizeof(XML_Char)));
@@ -6281,6 +6286,10 @@ poolGrow(STRING_POOL *pool)
else { else {
BLOCK *tem; BLOCK *tem;
int blockSize = (int)(pool->end - pool->start); int blockSize = (int)(pool->end - pool->start);
if (blockSize < 0)
return XML_FALSE;
if (blockSize < INIT_BLOCK_SIZE) if (blockSize < INIT_BLOCK_SIZE)
blockSize = INIT_BLOCK_SIZE; blockSize = INIT_BLOCK_SIZE;
else else