Blob Blame History Raw
From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 28 Feb 2022 10:43:23 -0500
Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
 (CVE-2021-46143)

Backported from upstream https://github.com/libexpat/libexpat/pull/538

Resolves: #2058560
---
 lib/expat/xmlparse/xmlparse.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
index 16ab82a..b9aa927 100644
--- a/lib/expat/xmlparse/xmlparse.c
+++ b/lib/expat/xmlparse/xmlparse.c
@@ -3991,6 +3991,11 @@ doProlog(XML_Parser       const xmlParserP,
     case XML_ROLE_GROUP_OPEN:
       if (prologState.level >= groupSize) {
         if (groupSize) {
+          /* Detect and prevent integer overflow */
+          if (groupSize > (unsigned int)(-1) / 2u) {
+            *errorCodeP = XML_ERROR_NO_MEMORY;
+            return;
+          }
           char *temp = realloc(groupConnector, groupSize *= 2);
           if (!temp) {
             *errorCodeP = XML_ERROR_NO_MEMORY;
-- 
2.31.1