File xerces-c-CVE-2023-37536.patch of Package xerces-c.31524
From 4dc7c00d192dcf8f89e1f9f9e3bc5f9a2db52535 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 10 Oct 2022 11:48:07 -0400
Subject: [PATCH] XERCESC-2241 - Integer overflows in DFAContentModel class
https://issues.apache.org/jira/browse/XERCESC-2241
---
 .../validators/common/DFAContentModel.cpp     | 27 ++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)
Index: xerces-c-3.1.4/src/xercesc/validators/common/DFAContentModel.cpp
===================================================================
--- xerces-c-3.1.4.orig/src/xercesc/validators/common/DFAContentModel.cpp
+++ xerces-c-3.1.4/src/xercesc/validators/common/DFAContentModel.cpp
@@ -24,6 +24,7 @@
 //  Includes
 // ---------------------------------------------------------------------------
 #include <xercesc/util/RuntimeException.hpp>
+#include <xercesc/util/OutOfMemoryException.hpp>
 #include <xercesc/framework/XMLBuffer.hpp>
 #include <xercesc/framework/XMLElementDecl.hpp>
 #include <xercesc/framework/XMLValidator.hpp>
@@ -41,6 +42,7 @@
 #include <xercesc/util/RefHashTableOf.hpp>
 #include <xercesc/util/XMLInteger.hpp>
 #include <math.h>
+#include <limits>
 
 XERCES_CPP_NAMESPACE_BEGIN
 
@@ -606,8 +608,15 @@ void DFAContentModel::buildDFA(ContentSp
     //  in the fLeafCount member.
     //
     fLeafCount=countLeafNodes(curNode);
+    // Avoid integer overflow in below fLeafCount++ increment
+    if (fLeafCount > (std::numeric_limits<unsigned int>::max() - 1))
+        throw OutOfMemoryException();
     fEOCPos = fLeafCount++;
 
+    // Avoid integer overflow in below memory allocation
+    if (fLeafCount > (std::numeric_limits<size_t>::max() / sizeof(CMLeaf*)))
+        throw OutOfMemoryException();
+
     //  We need to build an array of references to the non-epsilon
     //  leaf nodes. We will put them in the array according to their position values
     //
@@ -1304,14 +1313,27 @@ unsigned int DFAContentModel::countLeafN
         if(nLoopCount!=0)
         {
             count += countLeafNodes(cursor);
-            for(unsigned int i=0;i<nLoopCount;i++)
-                count += countLeafNodes(rightNode);
+            const unsigned int countRight = countLeafNodes(rightNode);
+            // Avoid integer overflow in below multiplication
+            if (countRight > (std::numeric_limits<unsigned int>::max() / nLoopCount))
+                throw OutOfMemoryException();
+            const unsigned int countRightMulLoopCount = nLoopCount * countRight;
+            // Avoid integer overflow in below addition
+            if (count > (std::numeric_limits<unsigned int>::max() - countRightMulLoopCount))
+                throw OutOfMemoryException();
+            count += countRightMulLoopCount;
             return count;
         }
         if(leftNode)
             count+=countLeafNodes(leftNode);
         if(rightNode)
-            count+=countLeafNodes(rightNode);
+        {
+            const unsigned int countRight = countLeafNodes(rightNode);
+            // Avoid integer overflow in below addition
+            if (count > (std::numeric_limits<unsigned int>::max() - countRight))
+                throw OutOfMemoryException();
+            count+=countRight;
+        }
     }
     return count;
 }