You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.5 KiB
42 lines
1.5 KiB
From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001 |
|
From: Sebastian Pipping <sebastian@pipping.org> |
|
Date: Wed, 26 Jan 2022 02:36:43 +0100 |
|
Subject: [PATCH 1/2] lib: Prevent integer overflow in doProlog |
|
(CVE-2022-23990) |
|
|
|
The change from "int nameLen" to "size_t nameLen" |
|
addresses the overflow on "nameLen++" in code |
|
"for (; name[nameLen++];)" right above the second |
|
change in the patch. |
|
--- |
|
expat/lib/xmlparse.c | 10 ++++++++-- |
|
1 file changed, 8 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c |
|
index 5ce31402..d1d17005 100644 |
|
--- a/lib/xmlparse.c |
|
+++ b/lib/xmlparse.c |
|
@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, |
|
if (dtd->in_eldecl) { |
|
ELEMENT_TYPE *el; |
|
const XML_Char *name; |
|
- int nameLen; |
|
+ size_t nameLen; |
|
const char *nxt |
|
= (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); |
|
int myindex = nextScaffoldPart(parser); |
|
@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, |
|
nameLen = 0; |
|
for (; name[nameLen++];) |
|
; |
|
- dtd->contentStringLen += nameLen; |
|
+ |
|
+ /* Detect and prevent integer overflow */ |
|
+ if (nameLen > UINT_MAX - dtd->contentStringLen) { |
|
+ return XML_ERROR_NO_MEMORY; |
|
+ } |
|
+ |
|
+ dtd->contentStringLen += (unsigned)nameLen; |
|
if (parser->m_elementDeclHandler) |
|
handleDefault = XML_FALSE; |
|
}
|
|
|