diff options
author | Michal Klocek <michal.klocek@qt.io> | 2017-02-06 16:28:00 +0900 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2017-05-29 10:22:13 +0000 |
commit | d540bef6bdab1a6356aa69947a76bc0cd7692c38 (patch) | |
tree | 1ec22734cfba19ecc30391b03cb15f83d6fdee82 | |
parent | a0b159a148a8de89ad44fa2d64e488fd9a4aee87 (diff) |
[Backport] CVE-2017-5029
xsltAddTextString: Check for overflow when merging text nodes.
BUG=676623
Review-Url: https://codereview.chromium.org/2626983002
Cr-Commit-Position: refs/heads/master@{#445987}
(cherry picked from commit 14b7c024aaec338adcbf87cbeee54cf6137d7f8a)
Review-Url: https://codereview.chromium.org/2676223002 .
Cr-Commit-Position: refs/branch-heads/2987@{#318}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Change-Id: Ic8c0a0ba4013d2ceaf13809452c0b1e25bcb4017
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/libxslt/README.chromium | 3 | ||||
-rw-r--r-- | chromium/third_party/libxslt/libxslt/transform.c | 25 | ||||
-rw-r--r-- | chromium/third_party/libxslt/libxslt/xsltInternals.h | 4 |
3 files changed, 27 insertions, 5 deletions
diff --git a/chromium/third_party/libxslt/README.chromium b/chromium/third_party/libxslt/README.chromium index 88348b1a207..147e1da29d3 100644 --- a/chromium/third_party/libxslt/README.chromium +++ b/chromium/third_party/libxslt/README.chromium @@ -16,6 +16,9 @@ Modifications: https://bugs.chromium.org/p/chromium/issues/detail?id=583171#c17 +- Apply patch contributed upstream, details here: + https://crbug.com/676623#c18 + To import a new version: On Linux, get the latest tar via libxml.org and extract and replace diff --git a/chromium/third_party/libxslt/libxslt/transform.c b/chromium/third_party/libxslt/libxslt/transform.c index 8b86e2ebc0d..25bc8bc2eed 100644 --- a/chromium/third_party/libxslt/libxslt/transform.c +++ b/chromium/third_party/libxslt/libxslt/transform.c @@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, return(target); if (ctxt->lasttext == target->content) { + int minSize; - if (ctxt->lasttuse + len >= ctxt->lasttsize) { + /* Check for integer overflow accounting for NUL terminator. */ + if (len >= INT_MAX - ctxt->lasttuse) { + xsltTransformError(ctxt, NULL, target, + "xsltCopyText: text allocation failed\n"); + return(NULL); + } + minSize = ctxt->lasttuse + len + 1; + + if (ctxt->lasttsize < minSize) { xmlChar *newbuf; int size; + int extra; + + /* Double buffer size but increase by at least 100 bytes. */ + extra = minSize < 100 ? 100 : minSize; + + /* Check for integer overflow. */ + if (extra > INT_MAX - ctxt->lasttsize) { + size = INT_MAX; + } + else { + size = ctxt->lasttsize + extra; + } - size = ctxt->lasttsize + len + 100; - size *= 2; newbuf = (xmlChar *) xmlRealloc(target->content,size); if (newbuf == NULL) { xsltTransformError(ctxt, NULL, target, diff --git a/chromium/third_party/libxslt/libxslt/xsltInternals.h b/chromium/third_party/libxslt/libxslt/xsltInternals.h index 7123acec104..8a6ac245199 100644 --- a/chromium/third_party/libxslt/libxslt/xsltInternals.h +++ b/chromium/third_party/libxslt/libxslt/xsltInternals.h @@ -1754,8 +1754,8 @@ struct _xsltTransformContext { * Speed optimization when coalescing text nodes */ const xmlChar *lasttext; /* last text node content */ - unsigned int lasttsize; /* last text node size */ - unsigned int lasttuse; /* last text node use */ + int lasttsize; /* last text node size */ + int lasttuse; /* last text node use */ /* * Per Context Debugging */ |