From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001

From: Sebastian Pipping <sebastian@pipping.org>

Date: Thu, 30 Dec 2021 22:46:03 +0100

Subject: [PATCH] lib: Prevent integer overflow at multiple places

 (CVE-2022-22822 to CVE-2022-22827)

The involved functions are:

- addBinding (CVE-2022-22822)

- build_model (CVE-2022-22823)

- defineAttribute (CVE-2022-22824)

- lookup (CVE-2022-22825)

- nextScaffoldPart (CVE-2022-22826)

- storeAtts (CVE-2022-22827)

---

 expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-

 1 file changed, 151 insertions(+), 2 deletions(-)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c

index 8f243126..575e73ee 100644

--- a/lib/xmlparse.c

+++ b/lib/xmlparse.c

@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,

   /* get the attributes from the tokenizer */

   n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);

+

+  /* Detect and prevent integer overflow */

+  if (n > INT_MAX - nDefaultAtts) {

+    return XML_ERROR_NO_MEMORY;

+  }

+

   if (n + nDefaultAtts > parser->m_attsSize) {

     int oldAttsSize = parser->m_attsSize;

     ATTRIBUTE *temp;

 #ifdef XML_ATTR_INFO

     XML_AttrInfo *temp2;

 #endif

+

+    /* Detect and prevent integer overflow */

+    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)

+        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {

+      return XML_ERROR_NO_MEMORY;

+    }

+

     parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;

+

+    /* Detect and prevent integer overflow.

+     * The preprocessor guard addresses the "always false" warning

+     * from -Wtype-limits on platforms where

+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {

+      parser->m_attsSize = oldAttsSize;

+      return XML_ERROR_NO_MEMORY;

+    }

+#endif

+

     temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,

                                 parser->m_attsSize * sizeof(ATTRIBUTE));

     if (temp == NULL) {

@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,

     }

     parser->m_atts = temp;

 #ifdef XML_ATTR_INFO

+    /* Detect and prevent integer overflow.

+     * The preprocessor guard addresses the "always false" warning

+     * from -Wtype-limits on platforms where

+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#  if UINT_MAX >= SIZE_MAX

+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {

+      parser->m_attsSize = oldAttsSize;

+      return XML_ERROR_NO_MEMORY;

+    }

+#  endif

+

     temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,

                                     parser->m_attsSize * sizeof(XML_AttrInfo));

     if (temp2 == NULL) {

@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,

   tagNamePtr->prefixLen = prefixLen;

   for (i = 0; localPart[i++];)

     ; /* i includes null terminator */

+

+  /* Detect and prevent integer overflow */

+  if (binding->uriLen > INT_MAX - prefixLen

+      || i > INT_MAX - (binding->uriLen + prefixLen)) {

+    return XML_ERROR_NO_MEMORY;

+  }

+

   n = i + binding->uriLen + prefixLen;

   if (n > binding->uriAlloc) {

     TAG *p;

+

+    /* Detect and prevent integer overflow */

+    if (n > INT_MAX - EXPAND_SPARE) {

+      return XML_ERROR_NO_MEMORY;

+    }

+    /* Detect and prevent integer overflow.

+     * The preprocessor guard addresses the "always false" warning

+     * from -Wtype-limits on platforms where

+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {

+      return XML_ERROR_NO_MEMORY;

+    }

+#endif

+

     uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));

     if (! uri)

       return XML_ERROR_NO_MEMORY;

@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,

   if (parser->m_freeBindingList) {

     b = parser->m_freeBindingList;

     if (len > b->uriAlloc) {

+      /* Detect and prevent integer overflow */

+      if (len > INT_MAX - EXPAND_SPARE) {

+        return XML_ERROR_NO_MEMORY;

+      }

+

+      /* Detect and prevent integer overflow.

+       * The preprocessor guard addresses the "always false" warning

+       * from -Wtype-limits on platforms where

+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {

+        return XML_ERROR_NO_MEMORY;

+      }

+#endif

+

       XML_Char *temp = (XML_Char *)REALLOC(

           parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));

       if (temp == NULL)

@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,

     b = (BINDING *)MALLOC(parser, sizeof(BINDING));

     if (! b)

       return XML_ERROR_NO_MEMORY;

+

+    /* Detect and prevent integer overflow */

+    if (len > INT_MAX - EXPAND_SPARE) {

+      return XML_ERROR_NO_MEMORY;

+    }

+    /* Detect and prevent integer overflow.

+     * The preprocessor guard addresses the "always false" warning

+     * from -Wtype-limits on platforms where

+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {

+      return XML_ERROR_NO_MEMORY;

+    }

+#endif

+

     b->uri

         = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));

     if (! b->uri) {

@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,

       }

     } else {

       DEFAULT_ATTRIBUTE *temp;

+

+      /* Detect and prevent integer overflow */

+      if (type->allocDefaultAtts > INT_MAX / 2) {

+        return 0;

+      }

+

       int count = type->allocDefaultAtts * 2;

+

+      /* Detect and prevent integer overflow.

+       * The preprocessor guard addresses the "always false" warning

+       * from -Wtype-limits on platforms where

+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {

+        return 0;

+      }

+#endif

+

       temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,

                                           (count * sizeof(DEFAULT_ATTRIBUTE)));

       if (temp == NULL)

@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {

     /* check for overflow (table is half full) */

     if (table->used >> (table->power - 1)) {

       unsigned char newPower = table->power + 1;

+

+      /* Detect and prevent invalid shift */

+      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {

+        return NULL;

+      }

+

       size_t newSize = (size_t)1 << newPower;

       unsigned long newMask = (unsigned long)newSize - 1;

+

+      /* Detect and prevent integer overflow */

+      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {

+        return NULL;

+      }

+

       size_t tsize = newSize * sizeof(NAMED *);

       NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);

       if (! newV)

@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {

   if (dtd->scaffCount >= dtd->scaffSize) {

     CONTENT_SCAFFOLD *temp;

     if (dtd->scaffold) {

+      /* Detect and prevent integer overflow */

+      if (dtd->scaffSize > UINT_MAX / 2u) {

+        return -1;

+      }

+      /* Detect and prevent integer overflow.

+       * The preprocessor guard addresses the "always false" warning

+       * from -Wtype-limits on platforms where

+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {

+        return -1;

+      }

+#endif

+

       temp = (CONTENT_SCAFFOLD *)REALLOC(

           parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));

       if (temp == NULL)

@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {

   XML_Content *ret;

   XML_Content *cpos;

   XML_Char *str;

-  int allocsize = (dtd->scaffCount * sizeof(XML_Content)

-                   + (dtd->contentStringLen * sizeof(XML_Char)));

+

+  /* Detect and prevent integer overflow.

+   * The preprocessor guard addresses the "always false" warning

+   * from -Wtype-limits on platforms where

+   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {

+    return NULL;

+  }

+  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {

+    return NULL;

+  }

+#endif

+  if (dtd->scaffCount * sizeof(XML_Content)

+      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {

+    return NULL;

+  }

+

+  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)

+                            + (dtd->contentStringLen * sizeof(XML_Char)));

   ret = (XML_Content *)MALLOC(parser, allocsize);

   if (! ret)