From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Fri, 25 Feb 2022 13:07:07 -0500

Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to

 CVE-2022-22827)

Backport fixes from https://github.com/libexpat/libexpat/pull/539

Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602

---

 lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++

 1 file changed, 40 insertions(+)

diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c

index 48adfb3..16ab82a 100644

--- a/lib/expat/xmlparse/xmlparse.c

+++ b/lib/expat/xmlparse/xmlparse.c

@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.

 #include <assert.h>

 #include <limits.h>                     /* UINT_MAX */

 #include <time.h>                       /* time() */

+#include <stdint.h>

 #include "xmlrpc_config.h"

 #include "c_util.h"

@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,

     ;

   if (namespaceSeparator)

     len++;

+  if (namespaceSeparator && (uri[len] == namespaceSeparator)) {

+    return XML_ERROR_SYNTAX;

+  }

   if (freeBindingList) {

     b = freeBindingList;

     if (len > b->uriAlloc) {

@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser       const xmlParserP,

   }

   /* get the attributes from the tokenizer */

   n = XmlGetAttributes(enc, attStr, attsSize, atts);

+

+

+  /* Detect and prevent integer overflow */

+  if (n > INT_MAX - nDefaultAtts) {

+    return XML_ERROR_NO_MEMORY;

+  }

+

   if (n + nDefaultAtts > attsSize) {

     int oldAttsSize = attsSize;

     ATTRIBUTE *temp;

+    /* Detect and prevent integer overflow */

+    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)

+        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {

+      return XML_ERROR_NO_MEMORY;

+    }

     attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;

+    /* Detect and prevent integer overflow.

+     * The preprocessor guard addresses the "always false" warning

+     * from -Wtype-limits on platforms where

+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {

+      attsSize = oldAttsSize;

+      return XML_ERROR_NO_MEMORY;

+    }

+#endif

     temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));

     if (!temp)

       return XML_ERROR_NO_MEMORY;

@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser       const xmlParserP,

   n = i + binding->uriLen;

   if (n > binding->uriAlloc) {

     TAG *p;

+

+    /* Detect and prevent integer overflow */

+    if (n > INT_MAX - EXPAND_SPARE) {

+      return XML_ERROR_NO_MEMORY;

+    }

+    /* Detect and prevent integer overflow.

+     * The preprocessor guard addresses the "always false" warning

+     * from -Wtype-limits on platforms where

+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */

+#if UINT_MAX >= SIZE_MAX

+    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {

+      return XML_ERROR_NO_MEMORY;

+    }

+#endif

     XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));

     if (!uri)

       return XML_ERROR_NO_MEMORY;

-- 

2.31.1