| From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001 |
| From: Nick Wellnhofer <wellnhofer@aevum.de> |
| Date: Fri, 10 Jan 2020 15:55:07 +0100 |
| Subject: [PATCH] Fix integer overflow in xmlBufferResize |
| |
| Found by OSS-Fuzz. |
| |
| CVE: CVE-2022-29824 |
| |
| Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b] |
| |
| Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> |
| |
| --- |
| tree.c | 9 +++++++-- |
| 1 file changed, 7 insertions(+), 2 deletions(-) |
| |
| diff --git a/tree.c b/tree.c |
| index 0d7fc98c..f43f6de1 100644 |
| --- a/tree.c |
| +++ b/tree.c |
| @@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) |
| if (size < buf->size) |
| return 1; |
| |
| + if (size > UINT_MAX - 10) { |
| + xmlTreeErrMemory("growing buffer"); |
| + return 0; |
| + } |
| + |
| /* figure out new size */ |
| switch (buf->alloc){ |
| case XML_BUFFER_ALLOC_IO: |
| case XML_BUFFER_ALLOC_DOUBLEIT: |
| /*take care of empty case*/ |
| - newSize = (buf->size ? buf->size*2 : size + 10); |
| + newSize = (buf->size ? buf->size : size + 10); |
| while (size > newSize) { |
| if (newSize > UINT_MAX / 2) { |
| xmlTreeErrMemory("growing buffer"); |
| @@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) |
| if (buf->use < BASE_BUFFER_SIZE) |
| newSize = size; |
| else { |
| - newSize = buf->size * 2; |
| + newSize = buf->size; |
| while (size > newSize) { |
| if (newSize > UINT_MAX / 2) { |
| xmlTreeErrMemory("growing buffer"); |
| -- |
| GitLab |
| |
| |