GNOME Bugzilla – Bug 766635
Integer signed/unsigned type mismatch of 'size_t ret' variable in xmlParserInputGrow() vs. 'int' return value of xmlParserInputBufferGrow()
Last modified: 2016-05-22 01:53:38 UTC
The problem is that xmlParserInputBufferGrow() returns an int, and sometimes returns a negative value, thus causing ‘size_t ret’ in xmlParserInputGrow() to become a large positive value, which is then returned and converted back to an int. There is no apparent security issue here because over half the call sites of xmlParserInputGrow() don't check its return value, and those that do get -1 again because the int -> size_t -> int conversion is not lossy.
Created attachment 328157 [details] [review] Patch v1 Fixes the bug.
Okay, makes sense, applied and commited as: https://git.gnome.org/browse/libxml2/commit/?id=d433ea6c83f00c4ccdad4413a2f5c83e641c3992 thanks ! Daniel