commit 1b57efe37fd4ef80058b05415a2a0e6b8eaab565

Author: Tomas Korbar <tkorbar@redhat.com>

Date:   Mon Mar 21 12:51:17 2022 +0100

    Prevent integer overflow in storeRawNames

diff --git a/lib/xmlparse.c b/lib/xmlparse.c

index 4bfb860..989ab8c 100644

--- a/lib/xmlparse.c

+++ b/lib/xmlparse.c

@@ -2099,6 +2099,7 @@ storeRawNames(XML_Parser parser)

   while (tag) {

     int bufSize;

     int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);

+    size_t rawNameLen;

     char *rawNameBuf = tag->buf + nameLen;

     /* Stop if already stored.  Since tagStack is a stack, we can stop

        at the first entry that has already been copied; everything

@@ -2110,7 +2111,11 @@ storeRawNames(XML_Parser parser)

     /* For re-use purposes we need to ensure that the

        size of tag->buf is a multiple of sizeof(XML_Char).

     */

-    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));

+    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));

+    /* Detect and prevent integer overflow. */

+    if (rawNameLen > (size_t)INT_MAX - nameLen)

+      return XML_FALSE;

+    bufSize = nameLen + (int)rawNameLen;

     if (bufSize > tag->bufEnd - tag->buf) {

       char *temp = (char *)REALLOC(tag->buf, bufSize);

       if (temp == NULL)