Check for integer overflow in memory debug code Fixes bug 783026. Thanks to Pranjal Jumde for the report.

commit: 897dffbae322b46b83f99a607d527058a72c51ed [log] [tgz]
author: Nick Wellnhofer <wellnhofer@aevum.de> Tue Jun 06 13:21:14 2017 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> Tue Jun 06 13:21:14 2017 +0200
tree: 92cc4d26f81d6d5546908b2c14bba516873a80fd
parent: 932cc9896ab41475d4aa429c27d9afd175959d74 [diff] [blame]
diff --git a/xmlmemory.c b/xmlmemory.c
index f08c8c3..c53141f 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c

@@ -172,6 +172,13 @@
 
     TEST_POINT
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
 
     if (!p) {
@@ -352,6 +359,13 @@
 #endif
     xmlMutexUnlock(xmlMemMutex);
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
     tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
     if (!tmp) {
 	 free(p);
@@ -499,6 +513,13 @@
     if (!xmlMemInitialized) xmlInitMemory();
     TEST_POINT
 
+    if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
+	xmlGenericError(xmlGenericErrorContext,
+		"xmlMallocLoc : Unsigned overflow\n");
+	xmlMemoryDump();
+	return(NULL);
+    }
+
     p = (MEMHDR *) malloc(RESERVE_SIZE+size);
     if (!p) {
       goto error;
commit	897dffbae322b46b83f99a607d527058a72c51ed	[log] [tgz]
author	Nick Wellnhofer <wellnhofer@aevum.de>	Tue Jun 06 13:21:14 2017 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	Tue Jun 06 13:21:14 2017 +0200
tree	92cc4d26f81d6d5546908b2c14bba516873a80fd
parent	932cc9896ab41475d4aa429c27d9afd175959d74 [diff] [blame]