From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
From: Samanta Navarro <ferivoz@riseup.net>
Date: Sat, 22 Jan 2022 17:48:00 +0100
Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
 (CVE-2022-23852)

Upstream-Status: Backport:
https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40

CVE: CVE-2022-23852

Signed-off-by: Steve Sakoman <steve@sakoman.com>

---
 expat/lib/xmlparse.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index d54af683..5ce31402 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
     if (keep > XML_CONTEXT_BYTES)
       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
     neededSize += keep;
 #endif /* defined XML_CONTEXT_BYTES */
     if (neededSize