]> granicus.if.org Git - libexpat/commitdiff
Detect integer overflow (CVE-2016-9063)
authorSebastian Pipping <sebastian@pipping.org>
Wed, 12 Apr 2017 21:55:45 +0000 (23:55 +0200)
committerSebastian Pipping <sebastian@pipping.org>
Tue, 2 May 2017 22:38:57 +0000 (00:38 +0200)
Needs XML_CONTEXT_BYTES to be _undefined_ to trigger,
default is defined and set to 1024.

Previously patched downstream, e.g.
https://sources.debian.net/src/expat/2.2.0-2/debian/patches/CVE-2016-9063.patch/
https://bug1274777.bmoattachments.org/attachment.cgi?id=8755538

This version avoids undefined behavior from _signed_ integer overflow.

Signed-off-by: Pascal Cuoq <cuoq@trust-in-soft.com>
expat/lib/xmlparse.c

index b62d789825c4565c55cfa851f05689a8099f3942..a8377a88f7e369c6f64112774e307797e0e42946 100644 (file)
@@ -1633,11 +1633,14 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
     nLeftOver = s + len - end;
     if (nLeftOver) {
       if (buffer == NULL || nLeftOver > bufferLim - buffer) {
-        /* FIXME avoid integer overflow */
-        char *temp;
-        temp = (buffer == NULL
-                ? (char *)MALLOC(len * 2)
-                : (char *)REALLOC(buffer, len * 2));
+        /* avoid _signed_ integer overflow */
+        char *temp = NULL;
+        const int bytesToAllocate = (int)((unsigned)len * 2U);
+        if (bytesToAllocate > 0) {
+          temp = (buffer == NULL
+                ? (char *)MALLOC(bytesToAllocate)
+                : (char *)REALLOC(buffer, bytesToAllocate));
+        }
         if (temp == NULL) {
           errorCode = XML_ERROR_NO_MEMORY;
           eventPtr = eventEndPtr = NULL;
@@ -1645,7 +1648,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
           return XML_STATUS_ERROR;
         }
         buffer = temp;
-        bufferLim = buffer + len * 2;
+        bufferLim = buffer + bytesToAllocate;
       }
       memcpy(buffer, end, nLeftOver);
     }