Prevent integer overflow in function doProlog
Bug: http://b/221256678
Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
(cherry picked from commit 8524cb8b7b377ff6acb1ca51afc7255d02c4170b)
Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index a5bda33..06dcb32 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -5065,7 +5065,7 @@
if (dtd->in_eldecl) {
ELEMENT_TYPE *el;
const XML_Char *name;
- int nameLen;
+ size_t nameLen;
const char *nxt
= (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
int myindex = nextScaffoldPart(parser);
@@ -5081,7 +5081,13 @@
nameLen = 0;
for (; name[nameLen++];)
;
- dtd->contentStringLen += nameLen;
+
+ /* Detect and prevent integer overflow */
+ if (nameLen > UINT_MAX - dtd->contentStringLen) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ dtd->contentStringLen += (unsigned)nameLen;
if (parser->m_elementDeclHandler)
handleDefault = XML_FALSE;
}