rpms / expat

Clone
Source Code
GIT

Blame SOURCES/expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1581cbb42adef8feb913ff9d0d7de951da426184
  2.   SOURCES
  3.   expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch
Blob History Raw
8ad338 
commit 3a4141add108097fa548b196f5950c6663e1578e
8ad338 
Author: Tomas Korbar <tkorbar@redhat.com>
8ad338 
Date:   Thu Mar 3 13:50:20 2022 +0100
8ad338
8ad338 
    CVE-2022-25315
8ad338
8ad338 
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
8ad338 
index f0061c8..45fda00 100644
8ad338 
--- a/lib/xmlparse.c
8ad338 
+++ b/lib/xmlparse.c
8ad338 
@@ -2508,6 +2508,7 @@ storeRawNames(XML_Parser parser)
8ad338 
   while (tag) {
8ad338 
     int bufSize;
8ad338 
     int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
8ad338 
+    size_t rawNameLen;
8ad338 
     char *rawNameBuf = tag->buf + nameLen;
8ad338 
     /* Stop if already stored.  Since m_tagStack is a stack, we can stop
8ad338 
        at the first entry that has already been copied; everything
8ad338 
@@ -2519,7 +2520,11 @@ storeRawNames(XML_Parser parser)
8ad338 
     /* For re-use purposes we need to ensure that the
8ad338 
        size of tag->buf is a multiple of sizeof(XML_Char).
8ad338 
     */
8ad338 
-    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
8ad338 
+    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
8ad338 
+    /* Detect and prevent integer overflow. */
8ad338 
+    if (rawNameLen > (size_t)INT_MAX - nameLen)
8ad338 
+      return XML_FALSE;
8ad338 
+    bufSize = nameLen + (int)rawNameLen;
8ad338 
     if (bufSize > tag->bufEnd - tag->buf) {
8ad338 
       char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
8ad338 
       if (temp == NULL)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation