CVE-2015-1283 Sanity check size calculations. r=peterv, a=abillings

https://sourceforge.net/p/expat/bugs/528/
2016-03-02 13:31:21 +01:00 · 2016-03-02 13:31:21 +01:00 · ba0f9c3b40
commit ba0f9c3b40
parent 3f5ed8f18d
1 changed files with 13 additions and 2 deletions
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
  switch (ps_parsing) {
  case XML_SUSPENDED:
    errorCode = XML_ERROR_SUSPENDED;
@ -1689,8 +1693,11 @@ XML_GetBuffer(XML_Parser parser, int len)
  }

  if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
    int neededSize = len + (int)(bufferEnd - bufferPtr);
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
 #ifdef XML_CONTEXT_BYTES
    int keep = (int)(bufferPtr - buffer);

@ -1719,7 +1726,11 @@ XML_GetBuffer(XML_Parser parser, int len)
        bufferSize = INIT_BUFFER_SIZE;
      do {
        bufferSize *= 2;
-      } while (bufferSize < neededSize);
+      } while (bufferSize < neededSize && bufferSize > 0);
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
      newBuf = (char *)MALLOC(bufferSize);
      if (newBuf == 0) {
        errorCode = XML_ERROR_NO_MEMORY;