diff options
author | Niall O'Higgins <niallo@cvs.openbsd.org> | 2005-11-06 00:48:47 +0000 |
---|---|---|
committer | Niall O'Higgins <niallo@cvs.openbsd.org> | 2005-11-06 00:48:47 +0000 |
commit | 794a59663794c63fb3e9058f5cfdc83c0e827763 (patch) | |
tree | 338c93334cb11d4d1d10a8f8aac6aabcfc76b16f /lib | |
parent | 4dc79549a42bec757a9f52d81349efb30269fc12 (diff) |
- fix a couple of integer overflows; the only code change so far resulting from
my audit at v2k5.
ok espie@
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libexpat/lib/xmlparse.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c index 6e0fa1fc516..8ddf0d9da0e 100644 --- a/lib/libexpat/lib/xmlparse.c +++ b/lib/libexpat/lib/xmlparse.c @@ -624,6 +624,8 @@ struct XML_ParserStruct { : \ (processor != prologInitProcessor)) +#define MAXLEN 0x7fffffff + XML_Parser XML_ParserCreate(const XML_Char *encodingName) { @@ -1364,6 +1366,9 @@ XML_SetParamEntityParsing(XML_Parser parser, enum XML_Status XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + /* Prevent integer overflow */ + if (((len * 2) < len) && (((long long)len * 2) > MAXLEN)) + return XML_STATUS_ERROR; if (len == 0) { if (!isFinal) return XML_STATUS_OK; @@ -1462,6 +1467,9 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) void * XML_GetBuffer(XML_Parser parser, int len) { + if (((len + (bufferEnd - bufferPtr)) < len) + && ((long long)len + (bufferEnd - bufferPtr) > MAXLEN)) + return NULL; if (len > bufferLim - bufferEnd) { /* FIXME avoid integer overflow */ int neededSize = len + (bufferEnd - bufferPtr); |