Check for overflow when merging text nodes.

third_party/libxslt/libxslt/transform.c

Index: third_party/libxslt/libxslt/transform.c
diff --git a/third_party/libxslt/libxslt/transform.c b/third_party/libxslt/libxslt/transform.c
index b3fce80aade12a9a1e7eba718d0cc66b60e6412c..c82f6782caf94002b804f00c4893aea9bd2c1a3f 100644
--- a/third_party/libxslt/libxslt/transform.c
+++ b/third_party/libxslt/libxslt/transform.c
@@ -820,12 +820,12 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
 
 	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
 	    xmlChar *newbuf;
-	    int size;
+	    size_t size;
 
 	    size = ctxt->lasttsize + len + 100;
 	    size *= 2;
 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
-	    if (newbuf == NULL) {
+	    if (newbuf == NULL || size < ctxt->lasttsize) {

[scottmg, 2017/01/11 17:46:07]

This is intended to be an overflow check, or? (nominally we set size to
(lasttsize + len + 100) ^ 2).

lasttsize is unsigned int, but then we're calculating in a size_t... so I don't
understand how size could be < lasttsize.

(Apologies if I'm being dumb.)

[scottmg, 2017/01/11 18:02:23]

(Er, * 2 above obviously)

I guess on x86 it might make some sense if all the types are 32 bit.

I was thinking x64, so size_t of 8b vs ctxt->lasttsize and len of 4b.

 		xsltTransformError(ctxt, NULL, target,
 		 "xsltCopyText: text allocation failed\n");
 		return(NULL);
@@ -834,6 +834,11 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
 	    ctxt->lasttext = newbuf;
 	    target->content = newbuf;
 	}
+        if (ctxt->lasttuse >= ctxt->lasttsize - len) {

[scottmg, 2017/01/11 17:46:07]

nit; This indent looks odd in Rietveld, but maybe it's fine with the right tab
settings.

+            xsltTransformError(ctxt, NULL, target,
+                               "xsltCopyText: text allocation failed\n");
+            return(NULL);
+        }
 	memcpy(&(target->content[ctxt->lasttuse]), string, len);
 	ctxt->lasttuse += len;
 	target->content[ctxt->lasttuse] = 0;