Check for integer overflow in memory debug code

Fixes bug 783026. Thanks to Pranjal Jumde for the report.

Check for integer overflow in memory debug code
Fixes bug 783026. Thanks to Pranjal Jumde for the report.
897dffba · Nick Wellnhofer · 932cc989 · 897dffba
Commit 897dffba authored Jun 06, 2017 by Nick Wellnhofer
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

xmlmemory.c xmlmemory.c +21 -0

No files found.
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)

    TEST_POINT

+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
    p = (MEMHDR *) malloc(RESERVE_SIZE+size);

    if (!p) {
@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
 #endif
    xmlMutexUnlock(xmlMemMutex);

+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
    tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
    if (!tmp) {
 	 free(p);
@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
    if (!xmlMemInitialized) xmlInitMemory();
    TEST_POINT

+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
    p = (MEMHDR *) malloc(RESERVE_SIZE+size);
    if (!p) {
      goto error;