mirror of
https://github.com/openharmony/third_party_expat.git
synced 2026-07-01 08:12:30 -04:00
fix cve-2022-23990 cve-2022-23852
Signed-off-by: lushi <lushi@huawei.com> Change-Id: I852da1fdb2f838d5264fffa8932fa2b8d6d94887
This commit is contained in:
+13
-2
@@ -2066,6 +2066,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
|
||||
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
|
||||
if (keep > XML_CONTEXT_BYTES)
|
||||
keep = XML_CONTEXT_BYTES;
|
||||
/* Detect and prevent integer overflow */
|
||||
if (keep > INT_MAX - neededSize) {
|
||||
parser->m_errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
neededSize += keep;
|
||||
#endif /* defined XML_CONTEXT_BYTES */
|
||||
if (neededSize
|
||||
@@ -5366,7 +5371,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
|
||||
if (dtd->in_eldecl) {
|
||||
ELEMENT_TYPE *el;
|
||||
const XML_Char *name;
|
||||
int nameLen;
|
||||
size_t nameLen;
|
||||
const char *nxt
|
||||
= (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
|
||||
int myindex = nextScaffoldPart(parser);
|
||||
@@ -5382,7 +5387,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
|
||||
nameLen = 0;
|
||||
for (; name[nameLen++];)
|
||||
;
|
||||
dtd->contentStringLen += nameLen;
|
||||
|
||||
/* Detect and prevent integer overflow */
|
||||
if (nameLen > UINT_MAX - dtd->contentStringLen) {
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
}
|
||||
|
||||
dtd->contentStringLen += (unsigned)nameLen;
|
||||
if (parser->m_elementDeclHandler)
|
||||
handleDefault = XML_FALSE;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user