uri: Check reallocations for overflow

2025-03-28 21:33:13 +00:00 · 2024-12-15 22:37:22 +01:00 · 2024-12-15 22:37:22 +01:00 · 8b2d9ac45b
commit 8b2d9ac45b
parent 2042090b45
1 changed files with 15 additions and 9 deletions
--- a/uri.c
+++ b/uri.c
@ -19,6 +19,7 @@
 #include <libxml/xmlerror.h>

 #include "private/error.h"
+#include "private/memory.h"

 /**
 * MAX_URI_LENGTH:
@ -1100,15 +1101,15 @@ xmlCreateURI(void) {
 static xmlChar *
 xmlSaveUriRealloc(xmlChar *ret, int *max) {
    xmlChar *temp;
-    int tmp;
+    int newSize;

-    if (*max > MAX_URI_LENGTH)
+    newSize = xmlGrowCapacity(*max, 1, 80, MAX_URI_LENGTH);
+    if (newSize < 0)
        return(NULL);
-    tmp = *max * 2;
-    temp = (xmlChar *) xmlRealloc(ret, (tmp + 1));
+    temp = xmlRealloc(ret, newSize + 1);
    if (temp == NULL)
        return(NULL);
-    *max = tmp;
+    *max = newSize;
    return(temp);
 }

@ -1676,7 +1677,6 @@ xmlURIUnescapeString(const char *str, int len, char *target) {
 xmlChar *
 xmlURIEscapeStr(const xmlChar *str, const xmlChar *list) {
    xmlChar *ret, ch;
-    xmlChar *temp;
    const xmlChar *in;
    int len, out;

@ -1694,15 +1694,21 @@ xmlURIEscapeStr(const xmlChar *str, const xmlChar *list) {
    out = 0;
    while(*in != 0) {
 	if (len - out <= 3) {
-            if (len > INT_MAX / 2)
+            xmlChar *temp;
+            int newSize;
+
+            newSize = xmlGrowCapacity(len, 1, 1, XML_MAX_ITEMS);
+            if (newSize < 0) {
+		xmlFree(ret);
                return(NULL);
-            temp = xmlRealloc(ret, len * 2);
+            }
+            temp = xmlRealloc(ret, newSize);
 	    if (temp == NULL) {
 		xmlFree(ret);
 		return(NULL);
 	    }
 	    ret = temp;
-            len *= 2;
+            len = newSize;
 	}

 	ch = *in;