Merge "Prevent XML_GetBuffer signed integer overflow" into qt-dev am: 517a01093c

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/expat/+/18718601 Change-Id: Ie555145499e788a988800d95802831bd07bfe2eb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Sadaf Ebrahimi <sadafebrahimi@google.com> 2022-06-22 17:15:52 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-06-22 17:15:52 +0000
commit: 96988ebf7264a0118a61f6a6ac417bf3f8aac5ad (patch)
tree: 433c92f325b980c016ef945a2e2922fa306b7e9e
parent: f2b297c3bd25db45119e6c926f472516cc74b9c4 (diff)
parent: 517a01093c30892851057bffc377e5fad5e74148 (diff)
download: expat-96988ebf7264a0118a61f6a6ac417bf3f8aac5ad.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 4d141129..952da9ba 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2047,6 +2047,11 @@ XML_GetBuffer(XML_Parser parser, int len)
     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif  /* defined XML_CONTEXT_BYTES */
     if (neededSize <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) {
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	2022-06-22 17:15:52 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-06-22 17:15:52 +0000
commit	96988ebf7264a0118a61f6a6ac417bf3f8aac5ad (patch)
tree	433c92f325b980c016ef945a2e2922fa306b7e9e
parent	f2b297c3bd25db45119e6c926f472516cc74b9c4 (diff)
parent	517a01093c30892851057bffc377e5fad5e74148 (diff)
download	expat-96988ebf7264a0118a61f6a6ac417bf3f8aac5ad.tar.gz