mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
248 lines
8.9 KiB
Diff
248 lines
8.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
|
|
Date: Wed, 15 Jun 2022 04:14:33 +0000
|
|
Subject: [PATCH] Prevent more integer overflows
|
|
|
|
Bug: http://b/219942275
|
|
Change-Id: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
|
|
Merged-In: Ic5c8087ee64e6faafcf013cef9536c042eb8a09d
|
|
(cherry picked from commit 15a1f35dddde9c1a0a626972349a59642abd345a)
|
|
Merged-In: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
|
|
---
|
|
lib/xmlparse.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 150 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
index 7d91ed2b..121b63f7 100644
|
|
--- a/lib/xmlparse.c
|
|
+++ b/lib/xmlparse.c
|
|
@@ -3187,13 +3187,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
|
|
|
|
/* get the attributes from the tokenizer */
|
|
n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (n > INT_MAX - nDefaultAtts) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+
|
|
if (n + nDefaultAtts > parser->m_attsSize) {
|
|
int oldAttsSize = parser->m_attsSize;
|
|
ATTRIBUTE *temp;
|
|
#ifdef XML_ATTR_INFO
|
|
XML_AttrInfo *temp2;
|
|
#endif
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
|
|
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+
|
|
parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
|
+
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
|
|
+ parser->m_attsSize = oldAttsSize;
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+#endif
|
|
+
|
|
temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, parser->m_attsSize * sizeof(ATTRIBUTE));
|
|
if (temp == NULL) {
|
|
parser->m_attsSize = oldAttsSize;
|
|
@@ -3201,6 +3226,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
|
|
}
|
|
parser->m_atts = temp;
|
|
#ifdef XML_ATTR_INFO
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+# if UINT_MAX >= SIZE_MAX
|
|
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
|
|
+ parser->m_attsSize = oldAttsSize;
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+# endif
|
|
+
|
|
temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, parser->m_attsSize * sizeof(XML_AttrInfo));
|
|
if (temp2 == NULL) {
|
|
parser->m_attsSize = oldAttsSize;
|
|
@@ -3509,9 +3545,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
|
|
tagNamePtr->prefixLen = prefixLen;
|
|
for (i = 0; localPart[i++];)
|
|
; /* i includes null terminator */
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (binding->uriLen > INT_MAX - prefixLen
|
|
+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+
|
|
n = i + binding->uriLen + prefixLen;
|
|
if (n > binding->uriAlloc) {
|
|
TAG *p;
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (n > INT_MAX - EXPAND_SPARE) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+#endif
|
|
+
|
|
uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
|
|
if (!uri)
|
|
return XML_ERROR_NO_MEMORY;
|
|
@@ -3612,6 +3670,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
|
if (parser->m_freeBindingList) {
|
|
b = parser->m_freeBindingList;
|
|
if (len > b->uriAlloc) {
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (len > INT_MAX - EXPAND_SPARE) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+#endif
|
|
+
|
|
XML_Char *temp = (XML_Char *)REALLOC(parser, b->uri,
|
|
sizeof(XML_Char) * (len + EXPAND_SPARE));
|
|
if (temp == NULL)
|
|
@@ -3625,6 +3698,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
|
b = (BINDING *)MALLOC(parser, sizeof(BINDING));
|
|
if (!b)
|
|
return XML_ERROR_NO_MEMORY;
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (len > INT_MAX - EXPAND_SPARE) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+#endif
|
|
+
|
|
b->uri = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
|
|
if (!b->uri) {
|
|
FREE(parser, b);
|
|
@@ -6025,7 +6113,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
|
|
}
|
|
else {
|
|
DEFAULT_ATTRIBUTE *temp;
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (type->allocDefaultAtts > INT_MAX / 2) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
int count = type->allocDefaultAtts * 2;
|
|
+
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
temp = (DEFAULT_ATTRIBUTE *)
|
|
REALLOC(parser, type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE)));
|
|
if (temp == NULL)
|
|
@@ -6700,8 +6805,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize)
|
|
/* check for overflow (table is half full) */
|
|
if (table->used >> (table->power - 1)) {
|
|
unsigned char newPower = table->power + 1;
|
|
+
|
|
+ /* Detect and prevent invalid shift */
|
|
+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
size_t newSize = (size_t)1 << newPower;
|
|
unsigned long newMask = (unsigned long)newSize - 1;
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
size_t tsize = newSize * sizeof(NAMED *);
|
|
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
|
|
if (!newV)
|
|
@@ -7067,6 +7184,20 @@ nextScaffoldPart(XML_Parser parser)
|
|
if (dtd->scaffCount >= dtd->scaffSize) {
|
|
CONTENT_SCAFFOLD *temp;
|
|
if (dtd->scaffold) {
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (dtd->scaffSize > UINT_MAX / 2u) {
|
|
+ return -1;
|
|
+ }
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
|
|
+ return -1;
|
|
+ }
|
|
+#endif
|
|
+
|
|
temp = (CONTENT_SCAFFOLD *)
|
|
REALLOC(parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
|
|
if (temp == NULL)
|
|
@@ -7143,9 +7274,26 @@ build_model (XML_Parser parser)
|
|
XML_Content *ret;
|
|
XML_Content *cpos;
|
|
XML_Char * str;
|
|
- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
|
|
- + (dtd->contentStringLen * sizeof(XML_Char)));
|
|
|
|
+ /* Detect and prevent integer overflow.
|
|
+ * The preprocessor guard addresses the "always false" warning
|
|
+ * from -Wtype-limits on platforms where
|
|
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
|
+#if UINT_MAX >= SIZE_MAX
|
|
+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
|
|
+ return NULL;
|
|
+ }
|
|
+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
|
|
+ return NULL;
|
|
+ }
|
|
+#endif
|
|
+ if (dtd->scaffCount * sizeof(XML_Content)
|
|
+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
|
|
+ + (dtd->contentStringLen * sizeof(XML_Char)));
|
|
ret = (XML_Content *)MALLOC(parser, allocsize);
|
|
if (!ret)
|
|
return NULL;
|