Variables are not validated before being used as divisors.
Variable 'elemSize' and 'dim2' are not validated before being used as divisors in xmlregexp.c. In line 605 of xmlregexp.c, the input parameter dim2 of xmlRegCalloc2 may be 0.It may cause a core dump of the process.
transdata = (void **) xmlRegCalloc2(nbstates, nbatoms, sizeof(void *));
static void*
xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) {
size_t totalSize;
void *ret;
/* Check for overflow */
if (dim1 > SIZE_MAX / dim2 / elemSize)
return (NULL);
totalSize = dim1 * dim2 * elemSize;
ret = xmlMalloc(totalSize);
if (ret != NULL)
memset(ret, 0, totalSize);
return (ret);
}
Edited by Nick Wellnhofer