libs/expat/patches/CVE-2022-23990.patch

   1 Patch-Source: https://github.com/libexpat/libexpat/commit/ede41d1e186ed2aba88a06e84cac839b770af3a1
   2 From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
   3 From: Sebastian Pipping <sebastian@pipping.org>
   4 Date: Wed, 26 Jan 2022 02:36:43 +0100
   5 Subject: [PATCH] lib: Prevent integer overflow in doProlog (CVE-2022-23990)
   6
   7 The change from "int nameLen" to "size_t nameLen"
   8 addresses the overflow on "nameLen++" in code
   9 "for (; name[nameLen++];)" right above the second
  10 change in the patch.
  11 ---
  12  expat/lib/xmlparse.c | 10 ++++++++--
  13  1 file changed, 8 insertions(+), 2 deletions(-)
  14
  15 --- a/lib/xmlparse.c
  16 +++ b/lib/xmlparse.c
  17 @@ -5126,7 +5126,7 @@ doProlog(XML_Parser parser, const ENCODI
  18        if (dtd->in_eldecl) {
  19          ELEMENT_TYPE *el;
  20          const XML_Char *name;
  21 -        int nameLen;
  22 +        size_t nameLen;
  23          const char *nxt
  24              = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
  25          int myindex = nextScaffoldPart(parser);
  26 @@ -5142,7 +5142,13 @@ doProlog(XML_Parser parser, const ENCODI
  27          nameLen = 0;
  28          for (; name[nameLen++];)
  29            ;
  30 -        dtd->contentStringLen += nameLen;
  31 +
  32 +        /* Detect and prevent integer overflow */
  33 +        if (nameLen > UINT_MAX - dtd->contentStringLen) {
  34 +          return XML_ERROR_NO_MEMORY;
  35 +        }
  36 +
  37 +        dtd->contentStringLen += (unsigned)nameLen;
  38          if (parser->m_elementDeclHandler)
  39            handleDefault = XML_FALSE;
  40        }