lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2026-01-26 21:41:34 +03:00
Code Activity

regexp: Avoid integer overflow and OOB array access

Browse Source 
Limit size of 2D arrays to XML_MAX_ITEMS (1e9) to avoid overflow of int
indexes.

Fixes #950.
This commit is contained in:
Nick Wellnhofer
2025-08-12 13:18:46 +02:00
parent c4b278ecd3
commit 24caea6383
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
xmlregexp.c
View File

@@ -473,14 +473,17 @@ static int xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt);
*/
static void*
xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) {
size_t totalSize;
size_t numElems, totalSize;
void *ret;
/* Check for overflow */
if ((dim2 == 0) || (elemSize == 0) ||
(dim1 > SIZE_MAX / dim2 / elemSize))
return (NULL);
totalSize = dim1 * dim2 * elemSize;
numElems = dim1 * dim2;
if (numElems > XML_MAX_ITEMS)
return NULL;
totalSize = numElems * elemSize;
ret = xmlMalloc(totalSize);
if (ret != NULL)
memset(ret, 0, totalSize);