Headline
CVE-2017-5130: Check for integer overflow in memory debug code (897dffba) · Commits · GNOME / libxml2
An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
Commit 897dffba authored Jun 06, 2017 by
Browse files
Check for integer overflow in memory debug code
Fixes bug 783026.
Thanks to Pranjal Jumde for the report.
- Changes 1
…
…
@@ -172,6 +172,13 @@ xmlMallocLoc(size_t size, const char * file, int line)
TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
“xmlMallocLoc : Unsigned overflow\n”);
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
…
…
@@ -352,6 +359,13 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
#endif
xmlMutexUnlock(xmlMemMutex);
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
“xmlMallocLoc : Unsigned overflow\n”);
xmlMemoryDump();
return(NULL);
}
tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
if (!tmp) {
free§;
…
…
@@ -499,6 +513,13 @@ xmlMemStrdupLoc(const char *str, const char *file, int line)
if (!xmlMemInitialized) xmlInitMemory();
TEST_POINT
if (size > (MAX_SIZE_T - RESERVE_SIZE)) {
xmlGenericError(xmlGenericErrorContext,
“xmlMallocLoc : Unsigned overflow\n”);
xmlMemoryDump();
return(NULL);
}
p = (MEMHDR *) malloc(RESERVE_SIZE+size);
if (!p) {
goto error;
…
…