51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
From 7dfcea03c37d17ca0d05d7a54f9245a8fde735cc Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Wed, 11 Oct 2023 14:19:04 +0200
|
|
Subject: [PATCH] dict: Fix integer overflow in xmlDictAddString
|
|
|
|
Short-lived regression.
|
|
|
|
Older versions didn't check for integer overflow, but limited name
|
|
length to INT_MAX / 2. Reintroduce this limit.
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
Reference:https://github.com/GNOME/libxml2/commit/7dfcea03c37d17ca0d05d7a54f9245a8fde735cc
|
|
Conflict:xmlDictLookupInternal function does not exist, Therefore, the function is not incorporated.
|
|
---
|
|
dict.c | 18 ++++++++++++++----
|
|
1 file changed, 14 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/dict.c b/dict.c
|
|
index 4de231f..af3e71a 100644
|
|
--- a/dict.c
|
|
+++ b/dict.c
|
|
@@ -264,10 +264,20 @@ xmlDictAddString(xmlDictPtr dict, const xmlChar *name, unsigned int namelen) {
|
|
return(NULL);
|
|
}
|
|
|
|
- if (size == 0) size = 1000;
|
|
- else size *= 4; /* exponential growth */
|
|
- if (size < 4 * namelen)
|
|
- size = 4 * namelen; /* just in case ! */
|
|
+ if (size == 0) {
|
|
+ size = 1000;
|
|
+ } else {
|
|
+ if (size < (SIZE_MAX - sizeof(xmlDictStrings)) / 4)
|
|
+ size *= 4; /* exponential growth */
|
|
+ else
|
|
+ size = SIZE_MAX - sizeof(xmlDictStrings);
|
|
+ }
|
|
+ if (size / 4 < namelen) {
|
|
+ if ((size_t) namelen + 0 < (SIZE_MAX - sizeof(xmlDictStrings)) / 4)
|
|
+ size = 4 * (size_t) namelen; /* just in case ! */
|
|
+ else
|
|
+ return(NULL);
|
|
+ }
|
|
pool = (xmlDictStringsPtr) xmlMalloc(sizeof(xmlDictStrings) + size);
|
|
if (pool == NULL)
|
|
return(NULL);
|
|
--
|
|
2.33.0
|
|
|