blob: 79e808b40c343d9298bdc75bccbd070936b79855 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
--- SAX2.c.orig 2008-01-25 08:10:04.000000000 -0500
+++ SAX2.c 2008-11-07 05:07:34.000000000 -0500
@@ -11,6 +11,7 @@
#include "libxml.h"
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <libxml/xmlmemory.h>
#include <libxml/tree.h>
#include <libxml/parser.h>
@@ -26,6 +27,11 @@
#include <libxml/HTMLtree.h>
#include <libxml/globals.h>
+/* Define SIZE_T_MAX unless defined through <limits.h>. */
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX ((size_t)-1)
+#endif /* !SIZE_T_MAX */
+
/* #define DEBUG_SAX2 */
/* #define DEBUG_SAX2_TREE */
@@ -2445,9 +2451,14 @@
(xmlDictOwns(ctxt->dict, lastChild->content))) {
lastChild->content = xmlStrdup(lastChild->content);
}
+ if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
+ (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+ return;
+ }
if (ctxt->nodelen + len >= ctxt->nodemem) {
xmlChar *newbuf;
- int size;
+ size_t size;
size = ctxt->nodemem + len;
size *= 2;
|
