summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMyoungJune Park <mj2004.park@samsung.com>2017-10-19 10:49:14 +0900
committerMyoungJune Park <mj2004.park@samsung.com>2017-10-19 01:50:48 +0000
commit38f5d3746fb5409dafe77a9231030057b173df64 (patch)
tree2078bbc2b87c3a68ab9ed1788304cbc5220eaab9
parentc582450a479ff157cf79aed26b6b08e867ff3832 (diff)
downloadlibxslt-38f5d3746fb5409dafe77a9231030057b173df64.tar.gz
libxslt-38f5d3746fb5409dafe77a9231030057b173df64.tar.bz2
libxslt-38f5d3746fb5409dafe77a9231030057b173df64.zip
CVE-2017-1000249 author Nick Wellnhofer <wellnhofer@aevum.de> 2017-01-12 14:39:52 (GMT) committer Nick Wellnhofer <wellnhofer@aevum.de> 2017-02-03 11:24:22 (GMT) Limit buffer size in xsltAddTextString to INT_MAX. The issue can be exploited to trigger an out of bounds write on 64-bit systems. Originally reported to Chromium: https://crbug.com/676623 Change-Id: Ibc82e53973e8b2e4ee964c042f42b324295b49a5
-rw-r--r--libxslt/transform.c25
-rw-r--r--libxslt/xsltInternals.h4
2 files changed, 24 insertions, 5 deletions
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 8b86e2eb..25bc8bc2 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
+ int minSize;
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+ /* Check for integer overflow accounting for NUL terminator. */
+ if (len >= INT_MAX - ctxt->lasttuse) {
+ xsltTransformError(ctxt, NULL, target,
+ "xsltCopyText: text allocation failed\n");
+ return(NULL);
+ }
+ minSize = ctxt->lasttuse + len + 1;
+
+ if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
+ int extra;
+
+ /* Double buffer size but increase by at least 100 bytes. */
+ extra = minSize < 100 ? 100 : minSize;
+
+ /* Check for integer overflow. */
+ if (extra > INT_MAX - ctxt->lasttsize) {
+ size = INT_MAX;
+ }
+ else {
+ size = ctxt->lasttsize + extra;
+ }
- size = ctxt->lasttsize + len + 100;
- size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 7123acec..8a6ac245 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
- unsigned int lasttsize; /* last text node size */
- unsigned int lasttuse; /* last text node use */
+ int lasttsize; /* last text node size */
+ int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/