1 https://sourceforge.net/p/expat/bugs/528/ |
|
2 https://sourceforge.net/p/expat/code_git/ci/ba0f9c3b40c264b8dd392e02a7a060a8fa54f032/ |
|
3 |
|
4 diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c |
|
5 index f35aa36..97ef730 100644 |
|
6 --- a/expat/lib/xmlparse.c |
|
7 +++ b/expat/lib/xmlparse.c |
|
8 @@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) |
|
9 void * XMLCALL |
|
10 XML_GetBuffer(XML_Parser parser, int len) |
|
11 { |
|
12 + if (len < 0) { |
|
13 + errorCode = XML_ERROR_NO_MEMORY; |
|
14 + return NULL; |
|
15 + } |
|
16 switch (ps_parsing) { |
|
17 case XML_SUSPENDED: |
|
18 errorCode = XML_ERROR_SUSPENDED; |
|
19 @@ -1689,8 +1693,11 @@ XML_GetBuffer(XML_Parser parser, int len) |
|
20 } |
|
21 |
|
22 if (len > bufferLim - bufferEnd) { |
|
23 - /* FIXME avoid integer overflow */ |
|
24 int neededSize = len + (int)(bufferEnd - bufferPtr); |
|
25 + if (neededSize < 0) { |
|
26 + errorCode = XML_ERROR_NO_MEMORY; |
|
27 + return NULL; |
|
28 + } |
|
29 #ifdef XML_CONTEXT_BYTES |
|
30 int keep = (int)(bufferPtr - buffer); |
|
31 |
|
32 @@ -1719,7 +1726,11 @@ XML_GetBuffer(XML_Parser parser, int len) |
|
33 bufferSize = INIT_BUFFER_SIZE; |
|
34 do { |
|
35 bufferSize *= 2; |
|
36 - } while (bufferSize < neededSize); |
|
37 + } while (bufferSize < neededSize && bufferSize > 0); |
|
38 + if (bufferSize <= 0) { |
|
39 + errorCode = XML_ERROR_NO_MEMORY; |
|
40 + return NULL; |
|
41 + } |
|
42 newBuf = (char *)MALLOC(bufferSize); |
|
43 if (newBuf == 0) { |
|
44 errorCode = XML_ERROR_NO_MEMORY; |
|