projects / platform / upstream / libxslt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c582450)
Check for integer overflow in xsltAddTextString 53/156553/1 accepted/tizen/base/20171027.152117 submit/tizen_base/20171019.015259
authorMyoungJune Park <mj2004.park@samsung.com>
Thu, 19 Oct 2017 01:49:14 +0000 (10:49 +0900)
committerMyoungJune Park <mj2004.park@samsung.com>
Thu, 19 Oct 2017 01:49:14 +0000 (10:49 +0900)
CVE-2017-1000249

author Nick Wellnhofer <wellnhofer@aevum.de> 2017-01-12 14:39:52 (GMT)
committer Nick Wellnhofer <wellnhofer@aevum.de> 2017-02-03 11:24:22 (GMT)

Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.

Originally reported to Chromium:

https://crbug.com/676623

Change-Id: Ibc82e53973e8b2e4ee964c042f42b324295b49a5

libxslt/transform.c patch | blob | history
libxslt/xsltInternals.h patch | blob | history

diff --git a/libxslt/transform.c b/libxslt/transform.c
index 8b86e2e..25bc8bc 100644 (file)
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
         return(target);
 
     if (ctxt->lasttext == target->content) {
+        int minSize;
 
-       if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+        /* Check for integer overflow accounting for NUL terminator. */
+        if (len >= INT_MAX - ctxt->lasttuse) {
+            xsltTransformError(ctxt, NULL, target,
+                "xsltCopyText: text allocation failed\n");
+            return(NULL);
+        }
+        minSize = ctxt->lasttuse + len + 1;
+
+        if (ctxt->lasttsize < minSize) {
            xmlChar *newbuf;
            int size;
+            int extra;
+
+            /* Double buffer size but increase by at least 100 bytes. */
+            extra = minSize < 100 ? 100 : minSize;
+
+            /* Check for integer overflow. */
+            if (extra > INT_MAX - ctxt->lasttsize) {
+                size = INT_MAX;
+            }
+            else {
+                size = ctxt->lasttsize + extra;
+            }
 
-           size = ctxt->lasttsize + len + 100;
-           size *= 2;
            newbuf = (xmlChar *) xmlRealloc(target->content,size);
            if (newbuf == NULL) {
                xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 7123ace..8a6ac24 100644 (file)
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
      * Speed optimization when coalescing text nodes
      */
     const xmlChar  *lasttext;          /* last text node content */
-    unsigned int    lasttsize;         /* last text node size */
-    unsigned int    lasttuse;          /* last text node use */
+    int             lasttsize;         /* last text node size */
+    int             lasttuse;          /* last text node use */
     /*
      * Per Context Debugging
      */
Domain: System / Base;