Fix overflow check in SAX2.c

This commit is contained in:
Nick Wellnhofer 2022-09-01 02:33:16 +02:00
parent 65dc8a63ac
commit aeb69fd357

24
SAX2.c
View File

@ -32,11 +32,6 @@
#include "private/parser.h"
#include "private/tree.h"
/* Define SIZE_T_MAX unless defined through <limits.h>. */
#ifndef SIZE_T_MAX
# define SIZE_T_MAX ((size_t)-1)
#endif /* !SIZE_T_MAX */
/* #define DEBUG_SAX2 */
/* #define DEBUG_SAX2_TREE */
@ -2600,22 +2595,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len,
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL");
return;
}
if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) &&
if (ctxt->nodelen > INT_MAX - len) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
return;
}
if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node");
return;
}
if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
(size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
return;
}
if (ctxt->nodelen + len >= ctxt->nodemem) {
xmlChar *newbuf;
size_t size;
int size;
size = ctxt->nodemem + len;
size *= 2;
size = ctxt->nodemem > INT_MAX - len ?
INT_MAX :
ctxt->nodemem + len;
size = size > INT_MAX / 2 ? INT_MAX : size * 2;
newbuf = (xmlChar *) xmlRealloc(lastChild->content,size);
if (newbuf == NULL) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters");