xsltTextAddString could still overflow if adding exactly at 2GB boundary |
|||
Issue descriptionSee Issue 676623 , Comment 47. I added overflow checks in 14b7c024aaec338adcbf87cbeee54cf6137d7f8a but adding a string which causes the buffer to fit exactly INT_MAX may overflow minSize which +1s to accommodate a null terminator.
,
May 3 2017
Actually, I think the existing code is fine because it uses ">=" instead of ">" for the comparison.
The most "obvious" fix here is to account for the NUL terminator explicitly like this:
/* Check for integer overflow accounting for NUL terminator. */
- if (len >= INT_MAX - ctxt->lasttuse) {
+ if (len > INT_MAX - ctxt->lasttuse - 1) {
xsltTransformError(ctxt, NULL, target,
"xsltCopyText: text allocation failed\n");
return(NULL);
}
However, I maintain that the above to 'if' statements have the same result for all values of 'len' > 0 and 'ctxt->lasttuse' >= 0.
(Recall that 'len <= 0' is checked prior to this statement (with an early return), so 'len' will always be greater than zero above.)
,
May 3 2017
* the above _two_ 'if' statements
,
May 8 2017
Yes, that's right re: >=. Maybe it is simpler to leave this as-is.
,
Aug 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by dominicc@chromium.org
, May 1 2017