Index: third_party/libxslt/libxslt/transform.c |
diff --git a/third_party/libxslt/libxslt/transform.c b/third_party/libxslt/libxslt/transform.c |
index 519133fcca2db26f173ab4baf7ff2638a231df39..02bff34a09e957255dd8df6b480b28a5ff14202d 100644 |
--- a/third_party/libxslt/libxslt/transform.c |
+++ b/third_party/libxslt/libxslt/transform.c |
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, |
return(target); |
if (ctxt->lasttext == target->content) { |
+ int minSize; |
- if (ctxt->lasttuse + len >= ctxt->lasttsize) { |
+ /* Check for integer overflow accounting for NUL terminator. */ |
+ if (len >= INT_MAX - ctxt->lasttuse) { |
+ xsltTransformError(ctxt, NULL, target, |
+ "xsltCopyText: text allocation failed\n"); |
+ return(NULL); |
+ } |
+ minSize = ctxt->lasttuse + len + 1; |
+ |
+ if (ctxt->lasttsize < minSize) { |
xmlChar *newbuf; |
int size; |
+ int extra; |
+ |
+ /* Double buffer size but increase by at least 100 bytes. */ |
+ extra = minSize < 100 ? 100 : minSize; |
+ |
+ /* Check for integer overflow. */ |
+ if (extra > INT_MAX - ctxt->lasttsize) { |
+ size = INT_MAX; |
+ } |
+ else { |
+ size = ctxt->lasttsize + extra; |
+ } |
- size = ctxt->lasttsize + len + 100; |
- size *= 2; |
newbuf = (xmlChar *) xmlRealloc(target->content,size); |
if (newbuf == NULL) { |
xsltTransformError(ctxt, NULL, target, |