lib: Prevent integer overflow at multiple places (CVE-2022-22822 to CVE-2022-22827)
The involved functions are: - addBinding (CVE-2022-22822) - build_model (CVE-2022-22823) - defineAttribute (CVE-2022-22824) - lookup (CVE-2022-22825) - nextScaffoldPart (CVE-2022-22826) - storeAtts (CVE-2022-22827)
This commit is contained in:
parent
653bcf9c25
commit
9f93e8036e
@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
|||||||
|
|
||||||
/* get the attributes from the tokenizer */
|
/* get the attributes from the tokenizer */
|
||||||
n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
|
n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (n > INT_MAX - nDefaultAtts) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
if (n + nDefaultAtts > parser->m_attsSize) {
|
if (n + nDefaultAtts > parser->m_attsSize) {
|
||||||
int oldAttsSize = parser->m_attsSize;
|
int oldAttsSize = parser->m_attsSize;
|
||||||
ATTRIBUTE *temp;
|
ATTRIBUTE *temp;
|
||||||
#ifdef XML_ATTR_INFO
|
#ifdef XML_ATTR_INFO
|
||||||
XML_AttrInfo *temp2;
|
XML_AttrInfo *temp2;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
|
||||||
|
|| (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
|
||||||
|
parser->m_attsSize = oldAttsSize;
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
|
temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
|
||||||
parser->m_attsSize * sizeof(ATTRIBUTE));
|
parser->m_attsSize * sizeof(ATTRIBUTE));
|
||||||
if (temp == NULL) {
|
if (temp == NULL) {
|
||||||
@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
|||||||
}
|
}
|
||||||
parser->m_atts = temp;
|
parser->m_atts = temp;
|
||||||
#ifdef XML_ATTR_INFO
|
#ifdef XML_ATTR_INFO
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
# if UINT_MAX >= SIZE_MAX
|
||||||
|
if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
|
||||||
|
parser->m_attsSize = oldAttsSize;
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
# endif
|
||||||
|
|
||||||
temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
|
temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
|
||||||
parser->m_attsSize * sizeof(XML_AttrInfo));
|
parser->m_attsSize * sizeof(XML_AttrInfo));
|
||||||
if (temp2 == NULL) {
|
if (temp2 == NULL) {
|
||||||
@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
|
|||||||
tagNamePtr->prefixLen = prefixLen;
|
tagNamePtr->prefixLen = prefixLen;
|
||||||
for (i = 0; localPart[i++];)
|
for (i = 0; localPart[i++];)
|
||||||
; /* i includes null terminator */
|
; /* i includes null terminator */
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (binding->uriLen > INT_MAX - prefixLen
|
||||||
|
|| i > INT_MAX - (binding->uriLen + prefixLen)) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
n = i + binding->uriLen + prefixLen;
|
n = i + binding->uriLen + prefixLen;
|
||||||
if (n > binding->uriAlloc) {
|
if (n > binding->uriAlloc) {
|
||||||
TAG *p;
|
TAG *p;
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (n > INT_MAX - EXPAND_SPARE) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
|
uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
|
||||||
if (! uri)
|
if (! uri)
|
||||||
return XML_ERROR_NO_MEMORY;
|
return XML_ERROR_NO_MEMORY;
|
||||||
@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
|||||||
if (parser->m_freeBindingList) {
|
if (parser->m_freeBindingList) {
|
||||||
b = parser->m_freeBindingList;
|
b = parser->m_freeBindingList;
|
||||||
if (len > b->uriAlloc) {
|
if (len > b->uriAlloc) {
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (len > INT_MAX - EXPAND_SPARE) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
XML_Char *temp = (XML_Char *)REALLOC(
|
XML_Char *temp = (XML_Char *)REALLOC(
|
||||||
parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
|
parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
|
||||||
if (temp == NULL)
|
if (temp == NULL)
|
||||||
@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
|||||||
b = (BINDING *)MALLOC(parser, sizeof(BINDING));
|
b = (BINDING *)MALLOC(parser, sizeof(BINDING));
|
||||||
if (! b)
|
if (! b)
|
||||||
return XML_ERROR_NO_MEMORY;
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (len > INT_MAX - EXPAND_SPARE) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
b->uri
|
b->uri
|
||||||
= (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
|
= (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
|
||||||
if (! b->uri) {
|
if (! b->uri) {
|
||||||
@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
DEFAULT_ATTRIBUTE *temp;
|
DEFAULT_ATTRIBUTE *temp;
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (type->allocDefaultAtts > INT_MAX / 2) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int count = type->allocDefaultAtts * 2;
|
int count = type->allocDefaultAtts * 2;
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
|
temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
|
||||||
(count * sizeof(DEFAULT_ATTRIBUTE)));
|
(count * sizeof(DEFAULT_ATTRIBUTE)));
|
||||||
if (temp == NULL)
|
if (temp == NULL)
|
||||||
@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
|
|||||||
/* check for overflow (table is half full) */
|
/* check for overflow (table is half full) */
|
||||||
if (table->used >> (table->power - 1)) {
|
if (table->used >> (table->power - 1)) {
|
||||||
unsigned char newPower = table->power + 1;
|
unsigned char newPower = table->power + 1;
|
||||||
|
|
||||||
|
/* Detect and prevent invalid shift */
|
||||||
|
if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
size_t newSize = (size_t)1 << newPower;
|
size_t newSize = (size_t)1 << newPower;
|
||||||
unsigned long newMask = (unsigned long)newSize - 1;
|
unsigned long newMask = (unsigned long)newSize - 1;
|
||||||
|
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
size_t tsize = newSize * sizeof(NAMED *);
|
size_t tsize = newSize * sizeof(NAMED *);
|
||||||
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
|
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
|
||||||
if (! newV)
|
if (! newV)
|
||||||
@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
|
|||||||
if (dtd->scaffCount >= dtd->scaffSize) {
|
if (dtd->scaffCount >= dtd->scaffSize) {
|
||||||
CONTENT_SCAFFOLD *temp;
|
CONTENT_SCAFFOLD *temp;
|
||||||
if (dtd->scaffold) {
|
if (dtd->scaffold) {
|
||||||
|
/* Detect and prevent integer overflow */
|
||||||
|
if (dtd->scaffSize > UINT_MAX / 2u) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
temp = (CONTENT_SCAFFOLD *)REALLOC(
|
temp = (CONTENT_SCAFFOLD *)REALLOC(
|
||||||
parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
|
parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
|
||||||
if (temp == NULL)
|
if (temp == NULL)
|
||||||
@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
|
|||||||
XML_Content *ret;
|
XML_Content *ret;
|
||||||
XML_Content *cpos;
|
XML_Content *cpos;
|
||||||
XML_Char *str;
|
XML_Char *str;
|
||||||
int allocsize = (dtd->scaffCount * sizeof(XML_Content)
|
|
||||||
+ (dtd->contentStringLen * sizeof(XML_Char)));
|
/* Detect and prevent integer overflow.
|
||||||
|
* The preprocessor guard addresses the "always false" warning
|
||||||
|
* from -Wtype-limits on platforms where
|
||||||
|
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||||
|
#if UINT_MAX >= SIZE_MAX
|
||||||
|
if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (dtd->scaffCount * sizeof(XML_Content)
|
||||||
|
> (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
|
||||||
|
+ (dtd->contentStringLen * sizeof(XML_Char)));
|
||||||
|
|
||||||
ret = (XML_Content *)MALLOC(parser, allocsize);
|
ret = (XML_Content *)MALLOC(parser, allocsize);
|
||||||
if (! ret)
|
if (! ret)
|
||||||
|
Loading…
Reference in New Issue
Block a user