Prevent XML_GetBuffer signed integer overflow Bug: http://b/221255869 Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29

commit: d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3 [log] [tgz]
author: Sadaf Ebrahimi <sadafebrahimi@google.com> Thu Jun 02 19:32:22 2022 +0000
committer: Sadaf Ebrahimi <sadafebrahimi@google.com> Thu Jun 02 19:35:38 2022 +0000
tree: 9292171eaaf4990f24e84d787a7416b99f094674
parent: 3c8c2304206e5e6f917b3919bea9d10ea37830a0 [diff]
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index c4f3ffc..ca29328 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c

@@ -2047,6 +2047,11 @@
     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif  /* defined XML_CONTEXT_BYTES */
     if (neededSize <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) {
commit	d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3	[log] [tgz]
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	Thu Jun 02 19:32:22 2022 +0000
committer	Sadaf Ebrahimi <sadafebrahimi@google.com>	Thu Jun 02 19:35:38 2022 +0000
tree	9292171eaaf4990f24e84d787a7416b99f094674
parent	3c8c2304206e5e6f917b3919bea9d10ea37830a0 [diff]