CVE-2015-1283 Sanity check size calculations. r=peterv, a=abillings https://sourceforge.net/p/expat/bugs/528/

commit: ba0f9c3b40c264b8dd392e02a7a060a8fa54f032 [log] [tgz]
author: Eric Rahm <erahm@mozilla.com> Wed Mar 02 13:31:21 2016 +0100
committer: Sebastian Pipping <sebastian@pipping.org> Wed Mar 02 18:01:53 2016 +0100
tree: 82c692d45988925a7a5240990725e6843a260132
parent: 3f5ed8f18d8caf00028646b7450e404d61c1bdb5 [diff]
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index f35aa36..97ef730 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c

@@ -1678,6 +1678,10 @@
 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
+  if (len < 0) {
+    errorCode = XML_ERROR_NO_MEMORY;
+    return NULL;
+  }
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;
@@ -1689,8 +1693,11 @@
   }
 
   if (len > bufferLim - bufferEnd) {
-    /* FIXME avoid integer overflow */
     int neededSize = len + (int)(bufferEnd - bufferPtr);
+    if (neededSize < 0) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
 #ifdef XML_CONTEXT_BYTES
     int keep = (int)(bufferPtr - buffer);
 
@@ -1719,7 +1726,11 @@
         bufferSize = INIT_BUFFER_SIZE;
       do {
         bufferSize *= 2;
-      } while (bufferSize < neededSize);
+      } while (bufferSize < neededSize && bufferSize > 0);
+      if (bufferSize <= 0) {
+        errorCode = XML_ERROR_NO_MEMORY;
+        return NULL;
+      }
       newBuf = (char *)MALLOC(bufferSize);
       if (newBuf == 0) {
         errorCode = XML_ERROR_NO_MEMORY;
commit	ba0f9c3b40c264b8dd392e02a7a060a8fa54f032	[log] [tgz]
author	Eric Rahm <erahm@mozilla.com>	Wed Mar 02 13:31:21 2016 +0100
committer	Sebastian Pipping <sebastian@pipping.org>	Wed Mar 02 18:01:53 2016 +0100
tree	82c692d45988925a7a5240990725e6843a260132
parent	3f5ed8f18d8caf00028646b7450e404d61c1bdb5 [diff]