Check for integer overflow in memory debug code
Fixes bug 783026.
Thanks to Pranjal Jumde for the report.
diff --git a/xmlmemory.c b/xmlmemory.c
index f08c8c3..c53141f 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -172,6 +172,13 @@
TEST_POINT
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocLoc : Unsigned overflow\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
@@ -352,6 +359,13 @@
#endif
xmlMutexUnlock(xmlMemMutex);
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocLoc : Unsigned overflow\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
if (!tmp) {
free(p);
@@ -499,6 +513,13 @@
if (!xmlMemInitialized) xmlInitMemory();
TEST_POINT
+ if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlMallocLoc : Unsigned overflow\n");
+ xmlMemoryDump();
+ return(NULL);
+ }
+
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
goto error;