|
 |
4e0c08 |
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
|
4e0c08 |
index d54af683..5ce31402 100644
|
|
|
4e0c08 |
--- a/lib/xmlparse.c
|
|
|
4e0c08 |
+++ b/lib/xmlparse.c
|
|
|
4e0c08 |
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
|
|
|
4e0c08 |
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
|
|
|
4e0c08 |
if (keep > XML_CONTEXT_BYTES)
|
|
|
4e0c08 |
keep = XML_CONTEXT_BYTES;
|
|
|
4e0c08 |
+ /* Detect and prevent integer overflow */
|
|
|
4e0c08 |
+ if (keep > INT_MAX - neededSize) {
|
|
|
4e0c08 |
+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
|
|
|
4e0c08 |
+ return NULL;
|
|
|
4e0c08 |
+ }
|
|
|
4e0c08 |
neededSize += keep;
|
|
|
4e0c08 |
#endif /* defined XML_CONTEXT_BYTES */
|
|
|
4e0c08 |
if (neededSize
|
|
|
4e0c08 |
diff --git a/tests/runtests.c b/tests/runtests.c
|
|
|
4e0c08 |
index e89e8220..579dad1a 100644
|
|
|
4e0c08 |
--- a/tests/runtests.c
|
|
|
4e0c08 |
+++ b/tests/runtests.c
|
|
|
4e0c08 |
@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
|
|
|
4e0c08 |
}
|
|
|
4e0c08 |
END_TEST
|
|
|
4e0c08 |
|
|
|
4e0c08 |
+/* Test for signed integer overflow CVE-2022-23852 */
|
|
|
4e0c08 |
+#if defined(XML_CONTEXT_BYTES)
|
|
|
4e0c08 |
+START_TEST(test_get_buffer_3_overflow) {
|
|
|
4e0c08 |
+ XML_Parser parser = XML_ParserCreate(NULL);
|
|
|
4e0c08 |
+ assert(parser != NULL);
|
|
|
4e0c08 |
+
|
|
|
4e0c08 |
+ const char *const text = "\n";
|
|
|
4e0c08 |
+ const int expectedKeepValue = (int)strlen(text);
|
|
|
4e0c08 |
+
|
|
|
4e0c08 |
+ // After this call, variable "keep" in XML_GetBuffer will
|
|
|
4e0c08 |
+ // have value expectedKeepValue
|
|
|
4e0c08 |
+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
|
|
|
4e0c08 |
+ == XML_STATUS_ERROR)
|
|
|
4e0c08 |
+ xml_failure(parser);
|
|
|
4e0c08 |
+
|
|
|
4e0c08 |
+ assert(expectedKeepValue > 0);
|
|
|
4e0c08 |
+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
|
|
|
4e0c08 |
+ fail("enlarging buffer not failed");
|
|
|
4e0c08 |
+
|
|
|
4e0c08 |
+ XML_ParserFree(parser);
|
|
|
4e0c08 |
+}
|
|
|
4e0c08 |
+END_TEST
|
|
|
4e0c08 |
+#endif // defined(XML_CONTEXT_BYTES)
|
|
|
4e0c08 |
+
|
|
|
4e0c08 |
/* Test position information macros */
|
|
|
4e0c08 |
START_TEST(test_byte_info_at_end) {
|
|
|
4e0c08 |
const char *text = "<doc></doc>";
|
|
|
4e0c08 |
@@ -11731,6 +11755,9 @@ make_suite(void) {
|
|
|
4e0c08 |
tcase_add_test(tc_basic, test_empty_parse);
|
|
|
4e0c08 |
tcase_add_test(tc_basic, test_get_buffer_1);
|
|
|
4e0c08 |
tcase_add_test(tc_basic, test_get_buffer_2);
|
|
|
4e0c08 |
+#if defined(XML_CONTEXT_BYTES)
|
|
|
4e0c08 |
+ tcase_add_test(tc_basic, test_get_buffer_3_overflow);
|
|
|
4e0c08 |
+#endif
|
|
|
4e0c08 |
tcase_add_test(tc_basic, test_byte_info_at_end);
|
|
|
4e0c08 |
tcase_add_test(tc_basic, test_byte_info_at_error);
|
|
|
4e0c08 |
tcase_add_test(tc_basic, test_byte_info_at_cdata);
|
|
|
4e0c08 |
|