From 1c142578fb4203968525ce7149a405127c8557f4 Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod@cvs.openbsd.org>
Date: Wed, 26 Aug 2015 19:36:24 +0000
Subject: More overflow checks in XML_GetBuffer(), adapted from FreeBSD
 security advisory FreeBSD-SA-15:20. Most of them were already fixed by
 niallo@'s work, which unfortunately got removed in r1.10 /-:

With help from doug@
---
 lib/libexpat/lib/xmlparse.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c
index bcb4871c81e..ccb45fbbb20 100644
--- a/lib/libexpat/lib/xmlparse.c
+++ b/lib/libexpat/lib/xmlparse.c
@@ -1693,7 +1693,7 @@ XML_GetBuffer(XML_Parser parser, int len)
   }
 
   /* Avoid integer overflow */
-  if (len > MAXLEN - (bufferEnd - bufferPtr)) {
+  if (len < 0 || len > MAXLEN - (bufferEnd - bufferPtr)) {
     errorCode = XML_ERROR_NO_MEMORY;
     return NULL; 
   }
@@ -1726,6 +1726,10 @@ XML_GetBuffer(XML_Parser parser, int len)
       if (bufferSize == 0)
         bufferSize = INIT_BUFFER_SIZE;
       do {
+        if (bufferSize > MAXLEN / 2) {
+          errorCode = XML_ERROR_NO_MEMORY;
+          return NULL;
+        }
         bufferSize *= 2;
       } while (bufferSize < neededSize);
       newBuf = (char *)MALLOC(bufferSize);
-- 
cgit v1.2.3