Commit 08ab2774 authored by Nick Wellnhofer's avatar Nick Wellnhofer

Check for integer overflow in xsltAddTextString

Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.

Originally reported to Chromium:

https://crbug.com/676623
parent 8ee72e49
......@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
int minSize;
if (ctxt->lasttuse + len >= ctxt->lasttsize) {
/* Check for integer overflow accounting for NUL terminator. */
if (len >= INT_MAX - ctxt->lasttuse) {
xsltTransformError(ctxt, NULL, target,
"xsltCopyText: text allocation failed\n");
return(NULL);
}
minSize = ctxt->lasttuse + len + 1;
if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
int extra;
/* Double buffer size but increase by at least 100 bytes. */
extra = minSize < 100 ? 100 : minSize;
/* Check for integer overflow. */
if (extra > INT_MAX - ctxt->lasttsize) {
size = INT_MAX;
}
else {
size = ctxt->lasttsize + extra;
}
size = ctxt->lasttsize + len + 100;
size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
......
......@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
unsigned int lasttsize; /* last text node size */
unsigned int lasttuse; /* last text node use */
int lasttsize; /* last text node size */
int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment