Commit 897dffba authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Check for integer overflow in memory debug code

Fixes bug 783026.

Thanks to Pranjal Jumde for the report.
parent 932cc989
......@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
......@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
#endif
xmlMutexUnlock(xmlMemMutex);
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
if (!tmp) {
free(p);
......@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
if (!xmlMemInitialized) xmlInitMemory();
TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
goto error;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment