GNOME Bugzilla – Bug 764616
Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c
Last modified: 2017-06-11 14:06:24 UTC
Placeholder for security bug.
Unsigned addition may overflow when computing allocation size in xmlMallocAtomicLoc() in xmlmemory.c: p = (MEMHDR *) malloc(RESERVE_SIZE+size); There are no bounds checks on the 'size' parameter being passed into the function.
There isn't any known exploit here, so the security bits can probably be removed.
Created attachment 325453 [details] [review] Patch v1
Review of attachment 325453 [details] [review]: ::: xmlmemory.c @@ +219,3 @@ /** * xmlMallocAtomicLoc: + * @size: an unsigned int specifying the size in byte to allocate. There is another typo here ("byte" => "bytes") that can be fixed before landing.
That code is only used when compiling with memory debug, nobody can ship libxml2 this way as free and xmlFree become incompatible, and everything would break. So not a security issue, but good to fix, thanks for the patch ! Applied as: https://git.gnome.org/browse/libxml2/commit/?id=886529b56ccbf381d9a58c64b4d016a9d05e2c25 seems I missed the typo though :-\ sorry ... thanks ! Daniel
Fix committed to master in 886529b56ccbf381d9a58c64b4d016a9d05e2c25: <https://git.gnome.org/browse/libxml2/commit/?id=886529b56ccbf381d9a58c64b4d016a9d05e2c25>