From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 25 Feb 2022 13:07:07 -0500
Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to
CVE-2022-22827)
Backport fixes from https://github.com/libexpat/libexpat/pull/539
Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602
---
lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 48adfb3..16ab82a 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.
#include <assert.h>
#include <limits.h> /* UINT_MAX */
#include <time.h> /* time() */
+#include <stdint.h>
#include "xmlrpc_config.h"
#include "c_util.h"
@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,
;
if (namespaceSeparator)
len++;
+ if (namespaceSeparator && (uri[len] == namespaceSeparator)) {
+ return XML_ERROR_SYNTAX;
+ }
if (freeBindingList) {
b = freeBindingList;
if (len > b->uriAlloc) {
@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser const xmlParserP,
}
/* get the attributes from the tokenizer */
n = XmlGetAttributes(enc, attStr, attsSize, atts);
+
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - nDefaultAtts) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
if (n + nDefaultAtts > attsSize) {
int oldAttsSize = attsSize;
ATTRIBUTE *temp;
+ /* Detect and prevent integer overflow */
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
+ return XML_ERROR_NO_MEMORY;
+ }
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
+ attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));
if (!temp)
return XML_ERROR_NO_MEMORY;
@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser const xmlParserP,
n = i + binding->uriLen;
if (n > binding->uriAlloc) {
TAG *p;
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));
if (!uri)
return XML_ERROR_NO_MEMORY;
--
2.31.1