From 7dfcea03c37d17ca0d05d7a54f9245a8fde735cc Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 11 Oct 2023 14:19:04 +0200
Subject: [PATCH] dict: Fix integer overflow in xmlDictAddString

Short-lived regression.

Older versions didn't check for integer overflow, but limited name
length to INT_MAX / 2. Reintroduce this limit.

Found by OSS-Fuzz.

Reference:https://github.com/GNOME/libxml2/commit/7dfcea03c37d17ca0d05d7a54f9245a8fde735cc
Conflict:xmlDictLookupInternal function does not exist, Therefore, the function is not incorporated.
---
 dict.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/dict.c b/dict.c
index 4de231f..af3e71a 100644
--- a/dict.c
+++ b/dict.c
@@ -264,10 +264,20 @@ xmlDictAddString(xmlDictPtr dict, const xmlChar *name, unsigned int namelen) {
             return(NULL);
         }
 
-        if (size == 0) size = 1000;
-	else size *= 4; /* exponential growth */
-        if (size < 4 * namelen)
-	    size = 4 * namelen; /* just in case ! */
+        if (size == 0) {
+            size = 1000;
+        } else {
+            if (size < (SIZE_MAX - sizeof(xmlDictStrings)) / 4)
+                size *= 4; /* exponential growth */
+            else
+                size = SIZE_MAX - sizeof(xmlDictStrings);
+        }
+        if (size / 4 < namelen) {
+            if ((size_t) namelen + 0 < (SIZE_MAX - sizeof(xmlDictStrings)) / 4)
+                size = 4 * (size_t) namelen; /* just in case ! */
+            else
+                return(NULL);
+        }
 	pool = (xmlDictStringsPtr) xmlMalloc(sizeof(xmlDictStrings) + size);
 	if (pool == NULL)
 	    return(NULL);
-- 
2.33.0