organicmaps/libexpat
13
Fork 0
mirror of https://github.com/libexpat/libexpat.git synced 2025-04-05 05:05:00 +00:00
Code Issues 1 Projects Releases Wiki Activity Actions 1

Merge pull request #891 from libexpat/taiyou-dtdcopy-malloc-overflow

Browse source 
[CVE-2024-45491] lib: Detect integer overflow in `dtdCopy` (fixes #888)
This commit is contained in:
Sebastian Pipping 2024-09-03 18:17:46 +02:00 committed by GitHub
commit b8a7dca467
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
expat/lib/xmlparse.c
View file

@ -7017,6 +7017,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
if (! newE)
return 0;
if (oldE->nDefaultAtts) {
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((size_t)oldE->nDefaultAtts
> ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
return 0;
}
#endif
newE->defaultAtts
= ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
if (! newE->defaultAtts) {