After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 766635 - Integer signed/unsigned type mismatch of 'size_t ret' variable in xmlParserInputGrow() vs. 'int' return value of xmlParserInputBufferGrow()
Integer signed/unsigned type mismatch of 'size_t ret' variable in xmlParserIn...
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other All
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2016-05-18 21:50 UTC by David Kilzer
Modified: 2016-05-22 01:53 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Patch v1 (977 bytes, patch)
2016-05-18 21:56 UTC, David Kilzer
none Details | Review

Description David Kilzer 2016-05-18 21:50:04 UTC
The problem is that xmlParserInputBufferGrow() returns an int, and sometimes returns a negative value, thus causing ‘size_t ret’ in xmlParserInputGrow() to become a large positive value, which is then returned and converted back to an int.

There is no apparent security issue here because over half the call sites of xmlParserInputGrow() don't check its return value, and those that do get -1 again because the int -> size_t -> int conversion is not lossy.
Comment 1 David Kilzer 2016-05-18 21:56:07 UTC
Created attachment 328157 [details] [review]
Patch v1

Fixes the bug.
Comment 2 Daniel Veillard 2016-05-22 01:53:38 UTC
Okay, makes sense, applied and commited as:

https://git.gnome.org/browse/libxml2/commit/?id=d433ea6c83f00c4ccdad4413a2f5c83e641c3992


  thanks !

Daniel