Bug 764616 – Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 764616 - Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c


Summary:	Unsigned addition may overflow when computing allocation size in xmlMallocAto...


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:	765977

Reported:	2016-04-04 20:50 UTC by David Kilzer
Modified:	2017-06-11 14:06 UTC

See Also:	783026
GNOME target:	---
GNOME version:	---

Attachments
Patch v1 (1.84 KB, patch) 2016-04-05 20:59 UTC, David Kilzer	none	Details \| Review

Description David Kilzer 2016-04-04 20:50:30 UTC

Placeholder for security bug.

Comment 1 David Kilzer 2016-04-05 19:07:38 UTC

Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c:

    p = (MEMHDR *) malloc(RESERVE_SIZE+size);

There are no bounds checks on the 'size' parameter being passed into the function.

Comment 2 David Kilzer 2016-04-05 19:19:35 UTC

There isn't any known exploit here, so the security bits can probably be removed.

Comment 3 David Kilzer 2016-04-05 20:59:20 UTC

Created attachment 325453 [details] [review]
Patch v1

Comment 4 David Kilzer 2016-04-05 21:18:39 UTC

Review of attachment 325453 [details] [review]:

::: xmlmemory.c
@@ +219,3 @@
 /**
  * xmlMallocAtomicLoc:
+ * @size:  an unsigned int specifying the size in byte to allocate.

There is another typo here ("byte" => "bytes") that can be fixed before landing.

Comment 5 Daniel Veillard 2016-05-23 01:27:41 UTC

That code is only used when compiling with memory debug, nobody can ship
libxml2 this way as free and xmlFree become incompatible, and everything
would break.

So not a security issue, but good to fix, thanks for the patch !
Applied as:

https://git.gnome.org/browse/libxml2/commit/?id=886529b56ccbf381d9a58c64b4d016a9d05e2c25

seems I missed the typo though :-\ sorry ...

    thanks !

Daniel

Comment 6 David Kilzer 2016-05-28 00:06:17 UTC

Fix committed to master in 886529b56ccbf381d9a58c64b4d016a9d05e2c25:

<https://git.gnome.org/browse/libxml2/commit/?id=886529b56ccbf381d9a58c64b4d016a9d05e2c25>