Detect integer overflow in poolGrow function (issue #25)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index 3bbd9c90b32299ff4bd18419b768a2b8035e6a11..663d8f69e0878b781c8508f6780abdb5e123da81 100644 (file)
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -6382,8 +6382,13 @@ poolGrow(STRING_POOL *pool)
 
     if (blockSize < INIT_BLOCK_SIZE)
       blockSize = INIT_BLOCK_SIZE;
-    else
+    else {
+      /* Detect overflow, avoiding _signed_ overflow undefined behavior */
+      if ((int)((unsigned)blockSize * 2U) < 0) {
+        return XML_FALSE;
+      }
       blockSize *= 2;
+    }
 
     bytesToAllocate = poolBytesToAllocateFor(blockSize);
     if (bytesToAllocate == 0)