From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 28 Feb 2022 10:43:23 -0500
Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
(CVE-2021-46143)
Backported from upstream https://github.com/libexpat/libexpat/pull/538
Resolves: #2058560
---
lib/expat/xmlparse/xmlparse.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 16ab82a..b9aa927 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -3991,6 +3991,11 @@ doProlog(XML_Parser const xmlParserP,
case XML_ROLE_GROUP_OPEN:
if (prologState.level >= groupSize) {
if (groupSize) {
+ /* Detect and prevent integer overflow */
+ if (groupSize > (unsigned int)(-1) / 2u) {
+ *errorCodeP = XML_ERROR_NO_MEMORY;
+ return;
+ }
char *temp = realloc(groupConnector, groupSize *= 2);
if (!temp) {
*errorCodeP = XML_ERROR_NO_MEMORY;
--
2.31.1