[Backport] CVE-2017-5029

xsltAddTextString: Check for overflow when merging text nodes.

BUG=676623

Review-Url: https://codereview.chromium.org/2626983002
Cr-Commit-Position: refs/heads/master@{#445987}
(cherry picked from commit 14b7c024aaec338adcbf87cbeee54cf6137d7f8a)

Review-Url: https://codereview.chromium.org/2676223002 .
Cr-Commit-Position: refs/branch-heads/2987@{#318}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

Change-Id: Ic8c0a0ba4013d2ceaf13809452c0b1e25bcb4017
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

3 files changed, 27 insertions, 5 deletions

diff --git a/chromium/third_party/libxslt/README.chromium b/chromium/third_party/libxslt/README.chromium
index 88348b1a207..147e1da29d3 100644
--- a/chromium/third_party/libxslt/README.chromium
+++ b/chromium/third_party/libxslt/README.chromium
@@ -16,6 +16,9 @@ Modifications:
   https://bugs.chromium.org/p/chromium/issues/detail?id=583171#c17
 
 
+- Apply patch contributed upstream, details here:
+  https://crbug.com/676623#c18
+
 To import a new version:
 
 On Linux, get the latest tar via libxml.org and extract and replace
diff --git a/chromium/third_party/libxslt/libxslt/transform.c b/chromium/third_party/libxslt/libxslt/transform.c
index 8b86e2ebc0d..25bc8bc2eed 100644
--- a/chromium/third_party/libxslt/libxslt/transform.c
+++ b/chromium/third_party/libxslt/libxslt/transform.c
@@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
         return(target);
 
     if (ctxt->lasttext == target->content) {
+        int minSize;
 
-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+        /* Check for integer overflow accounting for NUL terminator. */
+        if (len >= INT_MAX - ctxt->lasttuse) {
+            xsltTransformError(ctxt, NULL, target,
+                "xsltCopyText: text allocation failed\n");
+            return(NULL);
+        }
+        minSize = ctxt->lasttuse + len + 1;
+
+        if (ctxt->lasttsize < minSize) {
 	    xmlChar *newbuf;
 	    int size;
+            int extra;
+
+            /* Double buffer size but increase by at least 100 bytes. */
+            extra = minSize < 100 ? 100 : minSize;
+
+            /* Check for integer overflow. */
+            if (extra > INT_MAX - ctxt->lasttsize) {
+                size = INT_MAX;
+            }
+            else {
+                size = ctxt->lasttsize + extra;
+            }
 
-	    size = ctxt->lasttsize + len + 100;
-	    size *= 2;
 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
 	    if (newbuf == NULL) {
 		xsltTransformError(ctxt, NULL, target,
diff --git a/chromium/third_party/libxslt/libxslt/xsltInternals.h b/chromium/third_party/libxslt/libxslt/xsltInternals.h
index 7123acec104..8a6ac245199 100644
--- a/chromium/third_party/libxslt/libxslt/xsltInternals.h
+++ b/chromium/third_party/libxslt/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
      * Speed optimization when coalescing text nodes
      */
     const xmlChar  *lasttext;		/* last text node content */
-    unsigned int    lasttsize;		/* last text node size */
-    unsigned int    lasttuse;		/* last text node use */
+    int             lasttsize;		/* last text node size */
+    int             lasttuse;		/* last text node use */
     /*
      * Per Context Debugging
      */