Overview

File expat-CVE-2022-23852.patch of Package expat.22630

Index: expat-2.2.5/lib/xmlparse.c
===================================================================
--- expat-2.2.5.orig/lib/xmlparse.c
+++ expat-2.2.5/lib/xmlparse.c
@@ -2040,6 +2040,11 @@ XML_GetBuffer(XML_Parser parser, int len
     keep = (int)(parser->m_bufferPtr - parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif  /* defined XML_CONTEXT_BYTES */
     if (neededSize  <= parser->m_bufferLim - parser->m_buffer) {
Index: expat-2.2.5/tests/runtests.c
===================================================================
--- expat-2.2.5.orig/tests/runtests.c
+++ expat-2.2.5/tests/runtests.c
@@ -4116,6 +4116,30 @@ START_TEST(test_get_buffer_2)
 }
 END_TEST
 
+/* Test for signed integer overflow CVE-2022-23852 */
+#if defined(XML_CONTEXT_BYTES)
+START_TEST(test_get_buffer_3_overflow) {
+  XML_Parser parser = XML_ParserCreate(NULL);
+  assert(parser != NULL);
+
+  const char *const text = "\n";
+  const int expectedKeepValue = (int)strlen(text);
+
+  // After this call, variable "keep" in XML_GetBuffer will
+  // have value expectedKeepValue
+  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
+      == XML_STATUS_ERROR)
+    xml_failure(parser);
+
+  assert(expectedKeepValue > 0);
+  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
+    fail("enlarging buffer not failed");
+
+  XML_ParserFree(parser);
+}
+END_TEST
+#endif // defined(XML_CONTEXT_BYTES)
+
 /* Test position information macros */
 START_TEST(test_byte_info_at_end)
 {
@@ -12117,6 +12141,9 @@ make_suite(void)
     tcase_add_test(tc_basic, test_empty_parse);
     tcase_add_test(tc_basic, test_get_buffer_1);
     tcase_add_test(tc_basic, test_get_buffer_2);
+#if defined(XML_CONTEXT_BYTES)
+    tcase_add_test(tc_basic, test_get_buffer_3_overflow);
+#endif
     tcase_add_test(tc_basic, test_byte_info_at_end);
     tcase_add_test(tc_basic, test_byte_info_at_error);
     tcase_add_test(tc_basic, test_byte_info_at_cdata);
openSUSE Build Service is sponsored by
Places