--- /dev/null
+--- tree.c.orig 2008-10-31 18:14:00.000000000 -0700
++++ tree.c 2008-10-31 18:14:35.000000000 -0700
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6996,7 +6996,13 @@
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+ newSize = (buf->size ? buf->size*2 : size + 10);
+- while (size > newSize) newSize *= 2;
++ while (size > newSize) {
++ if (newSize > UINT_MAX / 2) {
++ xmlTreeErrMemory("growing buffer");
++ return 0;
++ }
++ newSize *= 2;
++ }
+ break;
+ case XML_BUFFER_ALLOC_EXACT:
+ newSize = size+10;
--- /dev/null
+--- SAX2.c.orig 2008-01-25 08:10:04.000000000 -0500
++++ SAX2.c 2008-11-07 05:07:34.000000000 -0500
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+
+@@ -2445,9 +2451,14 @@
+ (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ lastChild->content = xmlStrdup(lastChild->content);
+ }
++ if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
++ (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
++ return;
++ }
+ if (ctxt->nodelen + len >= ctxt->nodemem) {
+ xmlChar *newbuf;
+- int size;
++ size_t size;
+
+ size = ctxt->nodemem + len;
+ size *= 2;
projects / packages / libxml2.git / commitdiff