Commit 897dffba authored by Nick Wellnhofer's avatar Nick Wellnhofer

Check for integer overflow in memory debug code

Fixes bug 783026.

Thanks to Pranjal Jumde for the report.
parent 932cc989
...@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line) ...@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
TEST_POINT TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size); p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) { if (!p) {
...@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) ...@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
#endif #endif
xmlMutexUnlock(xmlMemMutex); xmlMutexUnlock(xmlMemMutex);
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
if (!tmp) { if (!tmp) {
free(p); free(p);
...@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line) ...@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
if (!xmlMemInitialized) xmlInitMemory(); if (!xmlMemInitialized) xmlInitMemory();
TEST_POINT TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
"xmlMallocLoc : Unsigned overflow\n");
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size); p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) { if (!p) {
goto error; goto error;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment