You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
62 lines
2.0 KiB
62 lines
2.0 KiB
diff --git a/lib/xmlparse.c b/lib/xmlparse.c |
|
index d54af683..5ce31402 100644 |
|
--- a/lib/xmlparse.c |
|
+++ b/lib/xmlparse.c |
|
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) { |
|
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); |
|
if (keep > XML_CONTEXT_BYTES) |
|
keep = XML_CONTEXT_BYTES; |
|
+ /* Detect and prevent integer overflow */ |
|
+ if (keep > INT_MAX - neededSize) { |
|
+ parser->m_errorCode = XML_ERROR_NO_MEMORY; |
|
+ return NULL; |
|
+ } |
|
neededSize += keep; |
|
#endif /* defined XML_CONTEXT_BYTES */ |
|
if (neededSize |
|
diff --git a/tests/runtests.c b/tests/runtests.c |
|
index e89e8220..579dad1a 100644 |
|
--- a/tests/runtests.c |
|
+++ b/tests/runtests.c |
|
@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) { |
|
} |
|
END_TEST |
|
|
|
+/* Test for signed integer overflow CVE-2022-23852 */ |
|
+#if defined(XML_CONTEXT_BYTES) |
|
+START_TEST(test_get_buffer_3_overflow) { |
|
+ XML_Parser parser = XML_ParserCreate(NULL); |
|
+ assert(parser != NULL); |
|
+ |
|
+ const char *const text = "\n"; |
|
+ const int expectedKeepValue = (int)strlen(text); |
|
+ |
|
+ // After this call, variable "keep" in XML_GetBuffer will |
|
+ // have value expectedKeepValue |
|
+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) |
|
+ == XML_STATUS_ERROR) |
|
+ xml_failure(parser); |
|
+ |
|
+ assert(expectedKeepValue > 0); |
|
+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) |
|
+ fail("enlarging buffer not failed"); |
|
+ |
|
+ XML_ParserFree(parser); |
|
+} |
|
+END_TEST |
|
+#endif // defined(XML_CONTEXT_BYTES) |
|
+ |
|
/* Test position information macros */ |
|
START_TEST(test_byte_info_at_end) { |
|
const char *text = "<doc></doc>"; |
|
@@ -11731,6 +11755,9 @@ make_suite(void) { |
|
tcase_add_test(tc_basic, test_empty_parse); |
|
tcase_add_test(tc_basic, test_get_buffer_1); |
|
tcase_add_test(tc_basic, test_get_buffer_2); |
|
+#if defined(XML_CONTEXT_BYTES) |
|
+ tcase_add_test(tc_basic, test_get_buffer_3_overflow); |
|
+#endif |
|
tcase_add_test(tc_basic, test_byte_info_at_end); |
|
tcase_add_test(tc_basic, test_byte_info_at_error); |
|
tcase_add_test(tc_basic, test_byte_info_at_cdata); |
|
|
|
|