pattern: Check reallocations for overflow

2025-03-28 21:33:13 +00:00 · 2024-12-15 22:06:11 +01:00 · 2024-12-15 22:06:11 +01:00 · 7b3d1134c3
commit 7b3d1134c3
parent 3f72a579c2
1 changed files with 63 additions and 32 deletions
--- a/pattern.c
+++ b/pattern.c
@ -34,6 +34,8 @@
 #include <libxml/xmlerror.h>
 #include <libxml/parserInternals.h>

+#include "private/memory.h"
+
 #ifdef LIBXML_PATTERN_ENABLED

 #ifdef ERROR
@ -332,6 +334,24 @@ xmlFreePatParserContext(xmlPatParserContextPtr ctxt) {
    xmlFree(ctxt);
 }

+static int
+xmlPatternGrow(xmlPatternPtr comp) {
+    xmlStepOpPtr temp;
+    int newSize;
+
+    newSize = xmlGrowCapacity(comp->maxStep, sizeof(temp[0]),
+                              10, XML_MAX_ITEMS);
+    if (newSize < 0)
+        return(-1);
+    temp = xmlRealloc(comp->steps, newSize * sizeof(temp[0]));
+    if (temp == NULL)
+        return(-1);
+    comp->steps = temp;
+    comp->maxStep = newSize;
+
+    return(0);
+}
+
 /**
 * xmlPatternAdd:
 * @comp:  the compiled match expression
@ -348,23 +368,16 @@ xmlPatternAdd(xmlPatParserContextPtr ctxt, xmlPatternPtr comp,
              xmlPatOp op, xmlChar * value, xmlChar * value2)
 {
    if (comp->nbStep >= comp->maxStep) {
-        xmlStepOpPtr temp;
-	temp = (xmlStepOpPtr) xmlRealloc(comp->steps, comp->maxStep * 2 *
-	                                 sizeof(xmlStepOp));
-        if (temp == NULL) {
-	    ERROR(ctxt, NULL, NULL,
-			     "xmlPatternAdd: realloc failed\n");
+        if (xmlPatternGrow(comp) < 0) {
            ctxt->error = -1;
-	    return (-1);
-	}
-	comp->steps = temp;
-	comp->maxStep *= 2;
+            return(-1);
+        }
    }
    comp->steps[comp->nbStep].op = op;
    comp->steps[comp->nbStep].value = value;
    comp->steps[comp->nbStep].value2 = value2;
    comp->nbStep++;
-    return (0);
+    return(0);
 }

 /**
@ -390,18 +403,15 @@ xmlReversePattern(xmlPatternPtr comp) {
 	}
 	comp->nbStep--;
    }
+
+    /*
+     * Grow to add OP_END later
+     */
    if (comp->nbStep >= comp->maxStep) {
-        xmlStepOpPtr temp;
-	temp = (xmlStepOpPtr) xmlRealloc(comp->steps, comp->maxStep * 2 *
-	                                 sizeof(xmlStepOp));
-        if (temp == NULL) {
-	    ERROR(ctxt, NULL, NULL,
-			     "xmlReversePattern: realloc failed\n");
-	    return (-1);
-	}
-	comp->steps = temp;
-	comp->maxStep *= 2;
+        if (xmlPatternGrow(comp) < 0)
+            return(-1);
    }
+
    i = 0;
    j = comp->nbStep - 1;
    while (j > i) {
@ -419,6 +429,7 @@ xmlReversePattern(xmlPatternPtr comp) {
 	j--;
 	i++;
    }
+
    comp->steps[comp->nbStep].value = NULL;
    comp->steps[comp->nbStep].value2 = NULL;
    comp->steps[comp->nbStep++].op = XML_OP_END;
@ -434,14 +445,18 @@ xmlReversePattern(xmlPatternPtr comp) {
 static int
 xmlPatPushState(xmlStepStates *states, int step, xmlNodePtr node) {
    if (states->maxstates <= states->nbstates) {
-        size_t newSize = states->maxstates ? states->maxstates * 2 : 4;
        xmlStepState *tmp;
+        int newSize;

+        newSize = xmlGrowCapacity(states->maxstates, sizeof(tmp[0]),
+                                  4, XML_MAX_ITEMS);
+        if (newSize < 0)
+	    return(-1);
 	tmp = xmlRealloc(states->states, newSize * sizeof(tmp[0]));
 	if (tmp == NULL)
 	    return(-1);
 	states->states = tmp;
-	states->maxstates *= 2;
+	states->maxstates = newSize;
    }
    states->states[states->nbstates].step = step;
    states->states[states->nbstates++].node = node;
@ -1343,15 +1358,24 @@ xmlStreamCompAddStep(xmlStreamCompPtr comp, const xmlChar *name,
    xmlStreamStepPtr cur;

    if (comp->nbStep >= comp->maxStep) {
-	cur = (xmlStreamStepPtr) xmlRealloc(comp->steps,
-				 comp->maxStep * 2 * sizeof(xmlStreamStep));
+        xmlStreamStepPtr tmp;
+        int newSize;
+
+        newSize = xmlGrowCapacity(comp->maxStep, sizeof(tmp[0]),
+                                  4, XML_MAX_ITEMS);
+        if (newSize < 0) {
+	    ERROR(NULL, NULL, NULL,
+		  "xmlNewStreamComp: growCapacity failed\n");
+	    return(-1);
+        }
+	cur = xmlRealloc(comp->steps, newSize * sizeof(tmp[0]));
 	if (cur == NULL) {
 	    ERROR(NULL, NULL, NULL,
 		  "xmlNewStreamComp: malloc failed\n");
 	    return(-1);
 	}
 	comp->steps = cur;
-        comp->maxStep *= 2;
+        comp->maxStep = newSize;
    }
    cur = &comp->steps[comp->nbStep++];
    cur->flags = flags;
@ -1613,17 +1637,24 @@ xmlStreamCtxtAddState(xmlStreamCtxtPtr comp, int idx, int level) {
 	}
    }
    if (comp->nbState >= comp->maxState) {
-        int *cur;
+        int *tmp;
+        int newSize;

-	cur = (int *) xmlRealloc(comp->states,
-				 comp->maxState * 4 * sizeof(int));
-	if (cur == NULL) {
+        newSize = xmlGrowCapacity(comp->maxState, sizeof(tmp[0]) * 2,
+                                  4, XML_MAX_ITEMS);
+        if (newSize < 0) {
+	    ERROR(NULL, NULL, NULL,
+		  "xmlNewStreamCtxt: growCapacity failed\n");
+	    return(-1);
+        }
+	tmp = xmlRealloc(comp->states, newSize * sizeof(tmp[0]) * 2);
+	if (tmp == NULL) {
 	    ERROR(NULL, NULL, NULL,
 		  "xmlNewStreamCtxt: malloc failed\n");
 	    return(-1);
 	}
-	comp->states = cur;
-        comp->maxState *= 2;
+	comp->states = tmp;
+        comp->maxState = newSize;
    }
    comp->states[2 * comp->nbState] = idx;
    comp->states[2 * comp->nbState++ + 1] = level;