Fix two integer overflows

commit: 2cac066cf6ef47c250f83861b61b624cd14c293f [log] [tgz]
author: Gustavo Grieco <gustavo.grieco@imag.fr> Mon May 02 00:35:34 2016 +0200
committer: Sebastian Pipping <sebastian@pipping.org> Mon May 02 01:00:32 2016 +0200
tree: a3c7e6e830d485f5f526616f3ea352712cdcbb4a
parent: bb1fd81b98870bd2c7628b4b011a61a9b9d791aa [diff]
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index 3c06e2a..e810e3e 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c

@@ -6287,8 +6287,13 @@
     }
   }
   if (pool->blocks && pool->start == pool->blocks->s) {
+    BLOCK *temp;
     int blockSize = (int)(pool->end - pool->start)*2;
-    BLOCK *temp = (BLOCK *)
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
+    temp = (BLOCK *)
       pool->mem->realloc_fcn(pool->blocks,
                              (offsetof(BLOCK, s)
                               + blockSize * sizeof(XML_Char)));
@@ -6303,6 +6308,10 @@
   else {
     BLOCK *tem;
     int blockSize = (int)(pool->end - pool->start);
+
+    if (blockSize < 0)
+      return XML_FALSE;
+
     if (blockSize < INIT_BLOCK_SIZE)
       blockSize = INIT_BLOCK_SIZE;
     else
commit	2cac066cf6ef47c250f83861b61b624cd14c293f	[log] [tgz]
author	Gustavo Grieco <gustavo.grieco@imag.fr>	Mon May 02 00:35:34 2016 +0200
committer	Sebastian Pipping <sebastian@pipping.org>	Mon May 02 01:00:32 2016 +0200
tree	a3c7e6e830d485f5f526616f3ea352712cdcbb4a
parent	bb1fd81b98870bd2c7628b4b011a61a9b9d791aa [diff]