Commit 08ab2774 authored by Nick Wellnhofer's avatar Nick Wellnhofer

Check for integer overflow in xsltAddTextString

Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.

Originally reported to Chromium:

https://crbug.com/676623
parent 8ee72e49
...@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, ...@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target); return(target);
if (ctxt->lasttext == target->content) { if (ctxt->lasttext == target->content) {
int minSize;
if (ctxt->lasttuse + len >= ctxt->lasttsize) { /* Check for integer overflow accounting for NUL terminator. */
if (len >= INT_MAX - ctxt->lasttuse) {
xsltTransformError(ctxt, NULL, target,
"xsltCopyText: text allocation failed\n");
return(NULL);
}
minSize = ctxt->lasttuse + len + 1;
if (ctxt->lasttsize < minSize) {
xmlChar *newbuf; xmlChar *newbuf;
int size; int size;
int extra;
/* Double buffer size but increase by at least 100 bytes. */
extra = minSize < 100 ? 100 : minSize;
/* Check for integer overflow. */
if (extra > INT_MAX - ctxt->lasttsize) {
size = INT_MAX;
}
else {
size = ctxt->lasttsize + extra;
}
size = ctxt->lasttsize + len + 100;
size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size); newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) { if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target, xsltTransformError(ctxt, NULL, target,
......
...@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { ...@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes * Speed optimization when coalescing text nodes
*/ */
const xmlChar *lasttext; /* last text node content */ const xmlChar *lasttext; /* last text node content */
unsigned int lasttsize; /* last text node size */ int lasttsize; /* last text node size */
unsigned int lasttuse; /* last text node use */ int lasttuse; /* last text node use */
/* /*
* Per Context Debugging * Per Context Debugging
*/ */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment