c14n: Check reallocations for overflow

2025-01-18 14:33:59 +08:00 · 2024-12-15 21:30:04 +01:00 · 2024-12-15 21:30:04 +01:00 · 509d498127
commit 509d498127
parent 58e2e72481
1 changed files with 25 additions and 22 deletions
--- a/c14n.c
+++ b/c14n.c
@ -25,6 +25,7 @@

 #include "private/error.h"
 #include "private/io.h"
+#include "private/memory.h"

 /************************************************************************
 *									*
@ -306,30 +307,26 @@ xmlC14NVisibleNsStackAdd(xmlC14NVisibleNsStackPtr cur, xmlNsPtr ns, xmlNodePtr n
       ((cur->nsTab != NULL) && (cur->nodeTab == NULL)))
 	return (1);

-    if ((cur->nsTab == NULL) && (cur->nodeTab == NULL)) {
-        cur->nsTab = (xmlNsPtr*) xmlMalloc(XML_NAMESPACES_DEFAULT * sizeof(xmlNsPtr));
-        cur->nodeTab = (xmlNodePtr*) xmlMalloc(XML_NAMESPACES_DEFAULT * sizeof(xmlNodePtr));
-	if ((cur->nsTab == NULL) || (cur->nodeTab == NULL))
-	    return (-1);
-	memset(cur->nsTab, 0 , XML_NAMESPACES_DEFAULT * sizeof(xmlNsPtr));
-	memset(cur->nodeTab, 0 , XML_NAMESPACES_DEFAULT * sizeof(xmlNodePtr));
-        cur->nsMax = XML_NAMESPACES_DEFAULT;
-    } else if(cur->nsMax == cur->nsCurEnd) {
-	void *tmp;
-	int tmpSize;
+    if (cur->nsMax <= cur->nsCurEnd) {
+	xmlNsPtr *tmp1;
+        xmlNodePtr *tmp2;
+	int newSize;

-	tmpSize = 2 * cur->nsMax;
-	tmp = xmlRealloc(cur->nsTab, tmpSize * sizeof(xmlNsPtr));
-	if (tmp == NULL)
-	    return (-1);
-	cur->nsTab = (xmlNsPtr*)tmp;
+        newSize = xmlGrowCapacity(cur->nsMax,
+                                  sizeof(tmp1[0]) + sizeof(tmp2[0]),
+                                  XML_NAMESPACES_DEFAULT, XML_MAX_ITEMS);

-	tmp = xmlRealloc(cur->nodeTab, tmpSize * sizeof(xmlNodePtr));
-	if (tmp == NULL)
+	tmp1 = xmlRealloc(cur->nsTab, newSize * sizeof(tmp1[0]));
+	if (tmp1 == NULL)
 	    return (-1);
-	cur->nodeTab = (xmlNodePtr*)tmp;
+	cur->nsTab = tmp1;

-	cur->nsMax = tmpSize;
+	tmp2 = xmlRealloc(cur->nodeTab, newSize * sizeof(tmp2[0]));
+	if (tmp2 == NULL)
+	    return (-1);
+	cur->nodeTab = tmp2;
+
+	cur->nsMax = newSize;
    }
    cur->nsTab[cur->nsCurEnd] = ns;
    cur->nodeTab[cur->nsCurEnd] = node;
@ -2142,14 +2139,20 @@ xmlC11NNormalizeString(const xmlChar * input,
        if ((out - buffer) > (buffer_size - 10)) {
            xmlChar *tmp;
            int indx = out - buffer;
+            int newSize;

-            buffer_size *= 2;
-            tmp = xmlRealloc(buffer, buffer_size);
+            newSize = xmlGrowCapacity(buffer_size, 1, 1, XML_MAX_ITEMS);
+            if (newSize < 0) {
+                xmlFree(buffer);
+                return(NULL);
+            }
+            tmp = xmlRealloc(buffer, newSize);
            if (tmp == NULL) {
                xmlFree(buffer);
                return(NULL);
            }
            buffer = tmp;
+            buffer_size = newSize;
            out = &buffer[indx];
        }