diff options
| author | Miod Vallat <miod@cvs.openbsd.org> | 2015-08-26 19:36:24 +0000 |
|---|---|---|
| committer | Miod Vallat <miod@cvs.openbsd.org> | 2015-08-26 19:36:24 +0000 |
| commit | 1c142578fb4203968525ce7149a405127c8557f4 (patch) | |
| tree | 7ad16177062470f5a1f8cc3bc699792fba3b79fe /lib | |
| parent | ab740a176f759cd5de16654c34bc118c20bd8bbd (diff) | |
More overflow checks in XML_GetBuffer(), adapted from FreeBSD security
advisory FreeBSD-SA-15:20. Most of them were already fixed by niallo@'s work,
which unfortunately got removed in r1.10 /-:
With help from doug@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libexpat/lib/xmlparse.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c index bcb4871c81e..ccb45fbbb20 100644 --- a/lib/libexpat/lib/xmlparse.c +++ b/lib/libexpat/lib/xmlparse.c @@ -1693,7 +1693,7 @@ XML_GetBuffer(XML_Parser parser, int len) } /* Avoid integer overflow */ - if (len > MAXLEN - (bufferEnd - bufferPtr)) { + if (len < 0 || len > MAXLEN - (bufferEnd - bufferPtr)) { errorCode = XML_ERROR_NO_MEMORY; return NULL; } @@ -1726,6 +1726,10 @@ XML_GetBuffer(XML_Parser parser, int len) if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { + if (bufferSize > MAXLEN / 2) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } bufferSize *= 2; } while (bufferSize < neededSize); newBuf = (char *)MALLOC(bufferSize); |