|
| 1 | +From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Sebastian Pipping <sebastian@pipping.org> |
| 3 | +Date: Sun, 23 Jan 2022 18:17:04 +0100 |
| 4 | +Subject: [PATCH] tests: Cover integer overflow in XML_GetBuffer |
| 5 | + (CVE-2022-23852) |
| 6 | + |
| 7 | +--- |
| 8 | + expat/tests/runtests.c | 27 +++++++++++++++++++++++++++ |
| 9 | + 1 file changed, 27 insertions(+) |
| 10 | + |
| 11 | +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c |
| 12 | +index e89e8220..579dad1a 100644 |
| 13 | +--- a/expat/tests/runtests.c |
| 14 | ++++ b/expat/tests/runtests.c |
| 15 | +@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) { |
| 16 | + } |
| 17 | + END_TEST |
| 18 | + |
| 19 | ++/* Test for signed integer overflow CVE-2022-23852 */ |
| 20 | ++#if defined(XML_CONTEXT_BYTES) |
| 21 | ++START_TEST(test_get_buffer_3_overflow) { |
| 22 | ++ XML_Parser parser = XML_ParserCreate(NULL); |
| 23 | ++ assert(parser != NULL); |
| 24 | ++ |
| 25 | ++ const char *const text = "\n"; |
| 26 | ++ const int expectedKeepValue = (int)strlen(text); |
| 27 | ++ |
| 28 | ++ // After this call, variable "keep" in XML_GetBuffer will |
| 29 | ++ // have value expectedKeepValue |
| 30 | ++ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) |
| 31 | ++ == XML_STATUS_ERROR) |
| 32 | ++ xml_failure(parser); |
| 33 | ++ |
| 34 | ++ assert(expectedKeepValue > 0); |
| 35 | ++ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) |
| 36 | ++ fail("enlarging buffer not failed"); |
| 37 | ++ |
| 38 | ++ XML_ParserFree(parser); |
| 39 | ++} |
| 40 | ++END_TEST |
| 41 | ++#endif // defined(XML_CONTEXT_BYTES) |
| 42 | ++ |
| 43 | + /* Test position information macros */ |
| 44 | + START_TEST(test_byte_info_at_end) { |
| 45 | + const char *text = "<doc></doc>"; |
| 46 | +@@ -11731,6 +11755,9 @@ make_suite(void) { |
| 47 | + tcase_add_test(tc_basic, test_empty_parse); |
| 48 | + tcase_add_test(tc_basic, test_get_buffer_1); |
| 49 | + tcase_add_test(tc_basic, test_get_buffer_2); |
| 50 | ++#if defined(XML_CONTEXT_BYTES) |
| 51 | ++ tcase_add_test(tc_basic, test_get_buffer_3_overflow); |
| 52 | ++#endif |
| 53 | + tcase_add_test(tc_basic, test_byte_info_at_end); |
| 54 | + tcase_add_test(tc_basic, test_byte_info_at_error); |
| 55 | + tcase_add_test(tc_basic, test_byte_info_at_cdata); |
0 commit comments