diff options
author | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-06-22 17:15:52 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-06-22 17:15:52 +0000 |
commit | 96988ebf7264a0118a61f6a6ac417bf3f8aac5ad (patch) | |
tree | 433c92f325b980c016ef945a2e2922fa306b7e9e | |
parent | f2b297c3bd25db45119e6c926f472516cc74b9c4 (diff) | |
parent | 517a01093c30892851057bffc377e5fad5e74148 (diff) | |
download | expat-96988ebf7264a0118a61f6a6ac417bf3f8aac5ad.tar.gz |
Merge "Prevent XML_GetBuffer signed integer overflow" into qt-dev am: 517a01093c
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/expat/+/18718601
Change-Id: Ie555145499e788a988800d95802831bd07bfe2eb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | lib/xmlparse.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 4d141129..952da9ba 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -2047,6 +2047,11 @@ XML_GetBuffer(XML_Parser parser, int len) keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); if (keep > XML_CONTEXT_BYTES) keep = XML_CONTEXT_BYTES; + /* Detect and prevent integer overflow */ + if (keep > INT_MAX - neededSize) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } neededSize += keep; #endif /* defined XML_CONTEXT_BYTES */ if (neededSize <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) { |