Headline
CVE-2017-5029: Check for integer overflow in xsltAddTextString (08ab2774) · Commits · GNOME / libxslt
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Commit 08ab2774 authored Jan 12, 2017 by
Browse files
Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
- Changes 2
…
…
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
int minSize;
if (ctxt->lasttuse + len >= ctxt->lasttsize) {
/* Check for integer overflow accounting for NUL terminator. */
if (len >= INT_MAX - ctxt->lasttuse) {
xsltTransformError(ctxt, NULL, target,
“xsltCopyText: text allocation failed\n”);
return(NULL);
}
minSize = ctxt->lasttuse + len + 1;
if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
int extra;
/* Double buffer size but increase by at least 100 bytes. */
extra = minSize < 100 ? 100 : minSize;
/* Check for integer overflow. */
if (extra > INT_MAX - ctxt->lasttsize) {
size = INT_MAX;
}
else {
size = ctxt->lasttsize + extra;
}
size = ctxt->lasttsize + len + 100;
size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
…
…
…
…
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
unsigned int lasttsize; /* last text node size */
unsigned int lasttuse; /* last text node use */
int lasttsize; /* last text node size */
int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
…
…