Prevent XML_GetBuffer signed integer overflow Bug: http://b/221255869 Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29 (cherry picked from commit a924d536de39ee21d4ab7051a3d13684162259bf) Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29

commit: 1cea57295616a9ed74ff57cf30c89a8ce8e4b328 [log] [tgz]
author: Sadaf Ebrahimi <sadafebrahimi@google.com> Thu Jun 02 19:32:22 2022 +0000
committer: android-t1 <xiaocong.gu@t2mobile.com> Tue Sep 06 10:25:05 2022 +0800
tree: b3dc7212a516d5f4c9fd536e8eda9a2eb81ce384
parent: 1adbf3784e3712440a7541b7dbc60f648b6e7918 [diff] [blame]
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 02bcfaa..78ad787 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c

@@ -1967,6 +1967,11 @@
     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif /* defined XML_CONTEXT_BYTES */
     if (neededSize
commit	1cea57295616a9ed74ff57cf30c89a8ce8e4b328	[log] [tgz]
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	Thu Jun 02 19:32:22 2022 +0000
committer	android-t1 <xiaocong.gu@t2mobile.com>	Tue Sep 06 10:25:05 2022 +0800
tree	b3dc7212a516d5f4c9fd536e8eda9a2eb81ce384
parent	1adbf3784e3712440a7541b7dbc60f648b6e7918 [diff] [blame]