You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 lines
1.3 KiB
24 lines
1.3 KiB
diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 thunderbird-91.7.0/parser/expat/lib/xmlparse.c |
|
--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 2022-03-02 18:17:50.966583254 +0100 |
|
+++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:19:27.636924735 +0100 |
|
@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser) |
|
while (tag) { |
|
int bufSize; |
|
int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); |
|
+ size_t rawNameLen; |
|
char *rawNameBuf = tag->buf + nameLen; |
|
/* Stop if already stored. Since tagStack is a stack, we can stop |
|
at the first entry that has already been copied; everything |
|
@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser) |
|
/* For re-use purposes we need to ensure that the |
|
size of tag->buf is a multiple of sizeof(XML_Char). |
|
*/ |
|
- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); |
|
+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); |
|
+ /* Detect and prevent integer overflow. */ |
|
+ if (rawNameLen > (size_t)INT_MAX - nameLen) |
|
+ return XML_FALSE; |
|
+ bufSize = nameLen + (int)rawNameLen; |
|
if (bufSize > tag->bufEnd - tag->buf) { |
|
char *temp = (char *)REALLOC(tag->buf, bufSize); |
|
if (temp == NULL)
|
|
|