fix cve-2022-23990 cve-2022-23852

Signed-off-by: lushi <lushi@huawei.com>
Change-Id: I852da1fdb2f838d5264fffa8932fa2b8d6d94887
This commit is contained in:
lushi
2022-01-28 15:53:10 +08:00
parent d05b97ab30
commit ca4a5ac098
+13 -2
View File
@@ -2066,6 +2066,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES;
/* Detect and prevent integer overflow */
if (keep > INT_MAX - neededSize) {
parser->m_errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
neededSize += keep;
#endif /* defined XML_CONTEXT_BYTES */
if (neededSize
@@ -5366,7 +5371,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
if (dtd->in_eldecl) {
ELEMENT_TYPE *el;
const XML_Char *name;
int nameLen;
size_t nameLen;
const char *nxt
= (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
int myindex = nextScaffoldPart(parser);
@@ -5382,7 +5387,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
nameLen = 0;
for (; name[nameLen++];)
;
dtd->contentStringLen += nameLen;
/* Detect and prevent integer overflow */
if (nameLen > UINT_MAX - dtd->contentStringLen) {
return XML_ERROR_NO_MEMORY;
}
dtd->contentStringLen += (unsigned)nameLen;
if (parser->m_elementDeclHandler)
handleDefault = XML_FALSE;
}