fix for CVE-2008-4226, a memory overflow when building gigantic text

* SAX2.c parser.c: fix for CVE-2008-4226, a memory overflow when building gigantic text nodes, and a bit of cleanup to better handled out of memory problem in that code. * tree.c: fix for CVE-2008-4225, lack of testing leads to a busy loop test assuming one have enough core memory. Daniel svn path=/trunk/; revision=3803
2025-08-29 01:49:22 +03:00 · 2008-11-17 15:59:21 +00:00
parent 6b09901479
commit 1dc9feb00f
4 changed files with 34 additions and 3 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Mon Nov 17 16:56:18 CET 2008 Daniel Veillard <daniel@veillard.com>
+
+	* SAX2.c parser.c: fix for CVE-2008-4226, a memory overflow
+	  when building gigantic text nodes, and a bit of cleanup
+	  to better handled out of memory problem in that code.
+	* tree.c: fix for CVE-2008-4225, lack of testing leads to
+	  a busy loop test assuming one have enough core memory.
+
 Thu Nov  6 14:34:35 CET 2008 Daniel Veillard <daniel@veillard.com>

 	* xmllint.c: Matthias Kaehlcke reported a build problem when
--- a/SAX2.c
+++ b/SAX2.c
@ -11,6 +11,7 @@
 #include "libxml.h"
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <libxml/xmlmemory.h>
 #include <libxml/tree.h>
 #include <libxml/parser.h>
@ -26,6 +27,11 @@
 #include <libxml/HTMLtree.h>
 #include <libxml/globals.h>

+/* Define SIZE_T_MAX unless defined through <limits.h>. */
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX     ((size_t)-1)
+#endif /* !SIZE_T_MAX */
+
 /* #define DEBUG_SAX2 */
 /* #define DEBUG_SAX2_TREE */

@ -2455,9 +2461,14 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len)
 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
 		lastChild->content = xmlStrdup(lastChild->content);
 	    }
+	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
+	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
+	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+	            return;
+	    }
 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
 		xmlChar *newbuf;
-		int size;
+		size_t size;

 		size = ctxt->nodemem + len;
 		size *= 2;
--- a/parser.c
+++ b/parser.c
@ -4142,6 +4142,9 @@ get_more:
                    line = ctxt->input->line;
                    col = ctxt->input->col;
 		}
+                /* something really bad happened in the SAX callback */
+                if (ctxt->instate != XML_PARSER_CONTENT)
+                    return;
 	    }
 	    ctxt->input->cur = in;
 	    if (*in == 0xD) {
@ -4222,6 +4225,9 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) {
 		}
 	    }
 	    nbchar = 0;
+            /* something really bad happened in the SAX callback */
+            if (ctxt->instate != XML_PARSER_CONTENT)
+                return;
 	}
 	count++;
 	if (count > 50) {
--- a/tree.c
+++ b/tree.c
@ -14,7 +14,7 @@
 #include "libxml.h"

 #include <string.h> /* for memset() only ! */
-
+#include <limits.h>
 #ifdef HAVE_CTYPE_H
 #include <ctype.h>
 #endif
@ -6996,7 +6996,13 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
 	case XML_BUFFER_ALLOC_DOUBLEIT:
 	    /*take care of empty case*/
 	    newSize = (buf->size ? buf->size*2 : size + 10);
-	    while (size > newSize) newSize *= 2;
+	    while (size > newSize) {
+	        if (newSize > UINT_MAX / 2) {
+	            xmlTreeErrMemory("growing buffer");
+	            return 0;
+	        }
+	        newSize *= 2;
+	    }
 	    break;
 	case XML_BUFFER_ALLOC_EXACT:
 	    newSize = size+10;