Commit 897dffba authored by Nick Wellnhofer's avatar Nick Wellnhofer

Check for integer overflow in memory debug code

Fixes bug 783026.

Thanks to Pranjal Jumde for the report.
parent 932cc989
......@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
......@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
#endif
xmlMutexUnlock(xmlMemMutex);
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
if (!tmp) {
free(p);
......@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
if (!xmlMemInitialized) xmlInitMemory();
TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
goto error;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment