Fix integer overflow in xmlBufferResize

Found by OSS-Fuzz.
2025-02-14 13:58:27 +03:00 · 2020-01-10 15:55:07 +01:00 · 2020-01-10 15:55:07 +01:00 · b07251215e
commit b07251215e
parent 3e7e75bed2
1 changed files with 7 additions and 2 deletions
--- a/tree.c
+++ b/tree.c
@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
    if (size < buf->size)
        return 1;

+    if (size > UINT_MAX - 10) {
+        xmlTreeErrMemory("growing buffer");
+        return 0;
+    }
+
    /* figure out new size */
    switch (buf->alloc){
 	case XML_BUFFER_ALLOC_IO:
 	case XML_BUFFER_ALLOC_DOUBLEIT:
 	    /*take care of empty case*/
-	    newSize = (buf->size ? buf->size*2 : size + 10);
+	    newSize = (buf->size ? buf->size : size + 10);
 	    while (size > newSize) {
 	        if (newSize > UINT_MAX / 2) {
 	            xmlTreeErrMemory("growing buffer");
@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
            if (buf->use < BASE_BUFFER_SIZE)
                newSize = size;
            else {
-                newSize = buf->size * 2;
+                newSize = buf->size;
                while (size > newSize) {
                    if (newSize > UINT_MAX / 2) {
                        xmlTreeErrMemory("growing buffer");