mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-15 10:54:27 -05:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
|
|
Date: Fri, 3 Jun 2022 03:40:21 +0000
|
|
Subject: [PATCH] Prevent integer overflow in function doProlog
|
|
|
|
Bug: http://b/221256678
|
|
Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
|
|
(cherry picked from commit 257f1d3777240016d3ccd74a61cd7d0e0efcaae3)
|
|
Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
|
|
---
|
|
lib/xmlparse.c | 20 +++++++++++++-------
|
|
1 file changed, 13 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
index 1d6e722d..7d91ed2b 100644
|
|
--- a/lib/xmlparse.c
|
|
+++ b/lib/xmlparse.c
|
|
@@ -5187,23 +5187,29 @@ doProlog(XML_Parser parser,
|
|
if (dtd->in_eldecl) {
|
|
ELEMENT_TYPE *el;
|
|
const XML_Char *name;
|
|
- int nameLen;
|
|
- const char *nxt = (quant == XML_CQUANT_NONE
|
|
- ? next
|
|
- : next - enc->minBytesPerChar);
|
|
+ size_t nameLen;
|
|
+ const char *nxt
|
|
+ = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
|
|
int myindex = nextScaffoldPart(parser);
|
|
if (myindex < 0)
|
|
return XML_ERROR_NO_MEMORY;
|
|
dtd->scaffold[myindex].type = XML_CTYPE_NAME;
|
|
dtd->scaffold[myindex].quant = quant;
|
|
el = getElementType(parser, enc, s, nxt);
|
|
- if (!el)
|
|
+ if (! el)
|
|
return XML_ERROR_NO_MEMORY;
|
|
name = el->name;
|
|
dtd->scaffold[myindex].name = name;
|
|
nameLen = 0;
|
|
- for (; name[nameLen++]; );
|
|
- dtd->contentStringLen += nameLen;
|
|
+ for (; name[nameLen++];)
|
|
+ ;
|
|
+
|
|
+ /* Detect and prevent integer overflow */
|
|
+ if (nameLen > UINT_MAX - dtd->contentStringLen) {
|
|
+ return XML_ERROR_NO_MEMORY;
|
|
+ }
|
|
+
|
|
+ dtd->contentStringLen += (unsigned)nameLen;
|
|
if (parser->m_elementDeclHandler)
|
|
handleDefault = XML_FALSE;
|
|
}
|