From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001 From: Samanta Navarro Date: Sat, 22 Jan 2022 17:48:00 +0100 Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer (CVE-2022-23852) Upstream-Status: Backport: https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40 CVE: CVE-2022-23852 Signed-off-by: Steve Sakoman --- expat/lib/xmlparse.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index d54af683..5ce31402 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) { keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); if (keep > XML_CONTEXT_BYTES) keep = XML_CONTEXT_BYTES; + /* Detect and prevent integer overflow */ + if (keep > INT_MAX - neededSize) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } neededSize += keep; #endif /* defined XML_CONTEXT_BYTES */ if (neededSize