DivestOS/Patches/LineageOS-16.0/android_external_expat/338354.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Thu, 2 Jun 2022 19:32:22 +0000
Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow

Bug: http://b/221255869
Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29
(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3)
Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29
---
 lib/xmlparse.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 67f661b5..1d6e722d 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2040,6 +2040,11 @@ XML_GetBuffer(XML_Parser parser, int len)
     keep = (int)(parser->m_bufferPtr - parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif  /* defined XML_CONTEXT_BYTES */
     if (neededSize  <= parser->m_bufferLim - parser->m_buffer) {
16.0: Import and verify picks https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev> 2024-05-07 19:13:31 -04:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Sadaf Ebrahimi <sadafebrahimi@google.com>`
			`Date: Thu, 2 Jun 2022 19:32:22 +0000`
			`Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow`

			`Bug: http://b/221255869`
			`Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29`
			`(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3)`
			`Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29`
			`---`
			`lib/xmlparse.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/lib/xmlparse.c b/lib/xmlparse.c`
			`index 67f661b5..1d6e722d 100644`
			`--- a/lib/xmlparse.c`
			`+++ b/lib/xmlparse.c`
			`@@ -2040,6 +2040,11 @@ XML_GetBuffer(XML_Parser parser, int len)`
			`keep = (int)(parser->m_bufferPtr - parser->m_buffer);`
			`if (keep > XML_CONTEXT_BYTES)`
			`keep = XML_CONTEXT_BYTES;`
			`+ /* Detect and prevent integer overflow */`
			`+ if (keep > INT_MAX - neededSize) {`
			`+ parser->m_errorCode = XML_ERROR_NO_MEMORY;`
			`+ return NULL;`
			`+ }`
			`neededSize += keep;`
			`#endif /* defined XML_CONTEXT_BYTES */`
			`if (neededSize <= parser->m_bufferLim - parser->m_buffer) {`