cheng/libexpat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #538 from libexpat/issue-532-integer-overflow

Browse Source 
[CVE-2021-46143] lib: Prevent integer overflow on m_groupSize in function doProlog (fixes #532)
This commit is contained in:
Sebastian Pipping 2022-01-10 18:01:11 +01:00 committed by GitHub
commit 82c11af9d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
expat/Changes
View File

@ -16,6 +16,10 @@ Release x.x.x xxx xxxxxxxx xx xxxx
where XML_ParserCreateNS is used to create the parser where XML_ParserCreateNS is used to create the parser
(which needs argument "-n" when running xmlwf). (which needs argument "-n" when running xmlwf).
Impact is denial of service, or more. Impact is denial of service, or more.
#532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
on variable m_groupSize in function doProlog leading
to realloc acting as free.
Impact is denial of service or more.
Other changes: Other changes:
#535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19
@ -27,11 +31,13 @@ Release x.x.x xxx xxxxxxxx xx xxxx
#536 CI: Check for realistic minimum CMake version #536 CI: Check for realistic minimum CMake version
Special thanks to: Special thanks to:
An anonymous whitehat
Christopher Degawa Christopher Degawa
J. Peter Mugaas J. Peter Mugaas
Tyson Smith Tyson Smith
and and
GCC Farm Project GCC Farm Project
Trend Micro Zero Day Initiative
Release 2.4.2 Sun December 19 2021 Release 2.4.2 Sun December 19 2021
Other changes: Other changes:

15
expat/lib/xmlparse.c
View File

@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
if (parser->m_prologState.level >= parser->m_groupSize) { if (parser->m_prologState.level >= parser->m_groupSize) {
if (parser->m_groupSize) { if (parser->m_groupSize) {
{ {
/* Detect and prevent integer overflow */
if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
return XML_ERROR_NO_MEMORY;
}
char *const new_connector = (char *)REALLOC( char *const new_connector = (char *)REALLOC(
parser, parser->m_groupConnector, parser->m_groupSize *= 2); parser, parser->m_groupConnector, parser->m_groupSize *= 2);
if (new_connector == NULL) { if (new_connector == NULL) {
@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
} }
if (dtd->scaffIndex) { if (dtd->scaffIndex) {
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
return XML_ERROR_NO_MEMORY;
}
#endif
int *const new_scaff_index = (int *)REALLOC( int *const new_scaff_index = (int *)REALLOC(
parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
if (new_scaff_index == NULL) if (new_scaff_index == NULL)