summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorNiall O'Higgins <niallo@cvs.openbsd.org>2005-11-06 00:48:47 +0000
committerNiall O'Higgins <niallo@cvs.openbsd.org>2005-11-06 00:48:47 +0000
commit794a59663794c63fb3e9058f5cfdc83c0e827763 (patch)
tree338c93334cb11d4d1d10a8f8aac6aabcfc76b16f /lib
parent4dc79549a42bec757a9f52d81349efb30269fc12 (diff)
- fix a couple of integer overflows; the only code change so far resulting from
my audit at v2k5. ok espie@
Diffstat (limited to 'lib')
-rw-r--r--lib/libexpat/lib/xmlparse.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c
index 6e0fa1fc516..8ddf0d9da0e 100644
--- a/lib/libexpat/lib/xmlparse.c
+++ b/lib/libexpat/lib/xmlparse.c
@@ -624,6 +624,8 @@ struct XML_ParserStruct {
: \
(processor != prologInitProcessor))
+#define MAXLEN 0x7fffffff
+
XML_Parser
XML_ParserCreate(const XML_Char *encodingName)
{
@@ -1364,6 +1366,9 @@ XML_SetParamEntityParsing(XML_Parser parser,
enum XML_Status
XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
{
+ /* Prevent integer overflow */
+ if (((len * 2) < len) && (((long long)len * 2) > MAXLEN))
+ return XML_STATUS_ERROR;
if (len == 0) {
if (!isFinal)
return XML_STATUS_OK;
@@ -1462,6 +1467,9 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
void *
XML_GetBuffer(XML_Parser parser, int len)
{
+ if (((len + (bufferEnd - bufferPtr)) < len)
+ && ((long long)len + (bufferEnd - bufferPtr) > MAXLEN))
+ return NULL;
if (len > bufferLim - bufferEnd) {
/* FIXME avoid integer overflow */
int neededSize = len + (bufferEnd - bufferPtr);