mirror of
https://git.yoctoproject.org/poky
synced 2026-03-03 05:49:39 +01:00
c2bd2eae86
Add patch for CVE issue: CVE-2022-29824 CVE-2022-29824 Link: [2554a2408e] Dependent patch: [b07251215e] (From OE-Core rev: 096ca5fa8cc4672e5e9b25dffe81b176b252d570) Signed-off-by: Riyaz <Riyaz.Khan@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
54 lines
1.6 KiB
Diff
54 lines
1.6 KiB
Diff
From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Fri, 10 Jan 2020 15:55:07 +0100
|
|
Subject: [PATCH] Fix integer overflow in xmlBufferResize
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
CVE: CVE-2022-29824
|
|
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
|
|
|
|
Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
|
|
|
|
---
|
|
tree.c | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/tree.c b/tree.c
|
|
index 0d7fc98c..f43f6de1 100644
|
|
--- a/tree.c
|
|
+++ b/tree.c
|
|
@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
|
if (size < buf->size)
|
|
return 1;
|
|
|
|
+ if (size > UINT_MAX - 10) {
|
|
+ xmlTreeErrMemory("growing buffer");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
/* figure out new size */
|
|
switch (buf->alloc){
|
|
case XML_BUFFER_ALLOC_IO:
|
|
case XML_BUFFER_ALLOC_DOUBLEIT:
|
|
/*take care of empty case*/
|
|
- newSize = (buf->size ? buf->size*2 : size + 10);
|
|
+ newSize = (buf->size ? buf->size : size + 10);
|
|
while (size > newSize) {
|
|
if (newSize > UINT_MAX / 2) {
|
|
xmlTreeErrMemory("growing buffer");
|
|
@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
|
|
if (buf->use < BASE_BUFFER_SIZE)
|
|
newSize = size;
|
|
else {
|
|
- newSize = buf->size * 2;
|
|
+ newSize = buf->size;
|
|
while (size > newSize) {
|
|
if (newSize > UINT_MAX / 2) {
|
|
xmlTreeErrMemory("growing buffer");
|
|
--
|
|
GitLab
|
|
|
|
|