diff options
author | MyoungJune Park <mj2004.park@samsung.com> | 2017-10-19 10:49:14 +0900 |
---|---|---|
committer | MyoungJune Park <mj2004.park@samsung.com> | 2017-10-19 01:50:48 +0000 |
commit | 38f5d3746fb5409dafe77a9231030057b173df64 (patch) | |
tree | 2078bbc2b87c3a68ab9ed1788304cbc5220eaab9 | |
parent | c582450a479ff157cf79aed26b6b08e867ff3832 (diff) | |
download | libxslt-38f5d3746fb5409dafe77a9231030057b173df64.tar.gz libxslt-38f5d3746fb5409dafe77a9231030057b173df64.tar.bz2 libxslt-38f5d3746fb5409dafe77a9231030057b173df64.zip |
Check for integer overflow in xsltAddTextStringtizen_4.0.IoT.p2_releasesubmit/tizen_4.0_base/20171019.015308accepted/tizen/4.0/base/20171103.060838
CVE-2017-1000249
author Nick Wellnhofer <wellnhofer@aevum.de> 2017-01-12 14:39:52 (GMT)
committer Nick Wellnhofer <wellnhofer@aevum.de> 2017-02-03 11:24:22 (GMT)
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
Change-Id: Ibc82e53973e8b2e4ee964c042f42b324295b49a5
-rw-r--r-- | libxslt/transform.c | 25 | ||||
-rw-r--r-- | libxslt/xsltInternals.h | 4 |
2 files changed, 24 insertions, 5 deletions
diff --git a/libxslt/transform.c b/libxslt/transform.c index 8b86e2eb..25bc8bc2 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, return(target); if (ctxt->lasttext == target->content) { + int minSize; - if (ctxt->lasttuse + len >= ctxt->lasttsize) { + /* Check for integer overflow accounting for NUL terminator. */ + if (len >= INT_MAX - ctxt->lasttuse) { + xsltTransformError(ctxt, NULL, target, + "xsltCopyText: text allocation failed\n"); + return(NULL); + } + minSize = ctxt->lasttuse + len + 1; + + if (ctxt->lasttsize < minSize) { xmlChar *newbuf; int size; + int extra; + + /* Double buffer size but increase by at least 100 bytes. */ + extra = minSize < 100 ? 100 : minSize; + + /* Check for integer overflow. */ + if (extra > INT_MAX - ctxt->lasttsize) { + size = INT_MAX; + } + else { + size = ctxt->lasttsize + extra; + } - size = ctxt->lasttsize + len + 100; - size *= 2; newbuf = (xmlChar *) xmlRealloc(target->content,size); if (newbuf == NULL) { xsltTransformError(ctxt, NULL, target, diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h index 7123acec..8a6ac245 100644 --- a/libxslt/xsltInternals.h +++ b/libxslt/xsltInternals.h @@ -1754,8 +1754,8 @@ struct _xsltTransformContext { * Speed optimization when coalescing text nodes */ const xmlChar *lasttext; /* last text node content */ - unsigned int lasttsize; /* last text node size */ - unsigned int lasttuse; /* last text node use */ + int lasttsize; /* last text node size */ + int lasttuse; /* last text node use */ /* * Per Context Debugging */ |