Prevent XML_GetBuffer signed integer overflow
Bug: http://b/221255869
Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index c4f3ffc..ca29328 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2047,6 +2047,11 @@
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES;
+ /* Detect and prevent integer overflow */
+ if (keep > INT_MAX - neededSize) {
+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
neededSize += keep;
#endif /* defined XML_CONTEXT_BYTES */
if (neededSize <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) {