Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / libxml2 / 2029791e30b24fd7e8ebf2963207433ca55f5288^! / . / xmlmemory.c
commit2029791e30b24fd7e8ebf2963207433ca55f5288[log] [tgz]
authorakirilov <akirilov@google.com>Fri Jun 01 13:43:34 2018 -0700
committermspector <mspector@google.com>Thu Jul 19 01:50:24 2018 -0700
treefdcd3e879406ec5f2e6314a2434595666c0bf1d5
parente4f9c765a370585bc21b8ca9a9c369aeb60b83d6 [diff] [blame]
RESTRICT AUTOMERGE: Update libxml2 to 2.9.8

Merge to pi-dev, restore Android.mk and revert 440b0b3d89db029dc2b8c86130461d292a8e11dc

Bug: 79662501
Bug: 36809766
Bug: 36810305
Bug: 62151041

Test: manually verify functionality for regression

Change-Id: Ib8859fc31de847c252a8705437fa67476ba6f5ad
(cherry picked from commit f921fa5d53b3ab966ba41c298ccd6b3d88574451)

diff --git a/xmlmemory.c b/xmlmemory.c
index f08c8c3..6f16c4b 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c

@@ -111,7 +111,7 @@
 
 #define MAX_SIZE_T ((size_t)-1)
 
-#define CLIENT_2_HDR(a) ((MEMHDR *) (((char *) (a)) - RESERVE_SIZE))
+#define CLIENT_2_HDR(a) ((void *) (((char *) (a)) - RESERVE_SIZE))
 #define HDR_2_CLIENT(a)    ((void *) (((char *) (a)) + RESERVE_SIZE))
 
 
@@ -172,6 +172,13 @@
 
     TEST_POINT
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
 
     if (!p) {
@@ -243,7 +250,7 @@
 
     if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
 	xmlGenericError(xmlGenericErrorContext,
-		"xmlMallocAtomicLoc : Unsigned overflow prevented\n");
+		"xmlMallocAtomicLoc : Unsigned overflow\n");
 	xmlMemoryDump();
 	return(NULL);
     }
@@ -352,6 +359,13 @@
 #endif
     xmlMutexUnlock(xmlMemMutex);
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlReallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
     tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
     if (!tmp) {
 	 free(p);
@@ -473,7 +487,7 @@
 
 error:
     xmlGenericError(xmlGenericErrorContext,
-	    "xmlMemFree(%lX) error\n", (unsigned long) ptr);
+	    "xmlMemFree(%p) error\n", ptr);
     xmlMallocBreakpoint();
     return;
 }
@@ -499,6 +513,13 @@
     if (!xmlMemInitialized) xmlInitMemory();
     TEST_POINT
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMemStrdupLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
     if (!p) {
       goto error;