Fix two integer overflows

author Gustavo Grieco <gustavo.grieco@imag.fr>

Sun, 1 May 2016 22:35:34 +0000 (00:35 +0200)

committer Sebastian Pipping <sebastian@pipping.org>

Sun, 1 May 2016 23:00:32 +0000 (01:00 +0200)
author Gustavo Grieco <gustavo.grieco@imag.fr>
Sun, 1 May 2016 22:35:34 +0000 (00:35 +0200)
committer Sebastian Pipping <sebastian@pipping.org>
Sun, 1 May 2016 23:00:32 +0000 (01:00 +0200)
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c

index 3c06e2a5fa8ebceb0ec5132ee8d4875e1053a2cd..e810e3e4df2b0f6e8921b42ca8746bd47b2498d1 100644 (file)
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -6287,8 +6287,13 @@ poolGrow(STRING_POOL *pool)
      }
    }
    if (pool->blocks && pool->start == pool->blocks->s) {
+    BLOCK *temp;
      int blockSize = (int)(pool->end - pool->start)*2;
-    BLOCK *temp = (BLOCK *)
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
+    temp = (BLOCK *)
        pool->mem->realloc_fcn(pool->blocks,
                               (offsetof(BLOCK, s)
                                + blockSize * sizeof(XML_Char)));
@@ -6303,6 +6308,10 @@ poolGrow(STRING_POOL *pool)
    else {
      BLOCK *tem;
      int blockSize = (int)(pool->end - pool->start);
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
      if (blockSize < INIT_BLOCK_SIZE)
        blockSize = INIT_BLOCK_SIZE;
      else
author	Gustavo Grieco <gustavo.grieco@imag.fr>
	Sun, 1 May 2016 22:35:34 +0000 (00:35 +0200)
committer	Sebastian Pipping <sebastian@pipping.org>
	Sun, 1 May 2016 23:00:32 +0000 (01:00 +0200)