From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Tue, 8 Mar 2016 17:29:00 -0800
Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat
 <https://bugzilla.gnome.org/show_bug.cgi?id=763071>

* xmlstring.c:
(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
(xmlStrncatNew): Ditto.

Upstream-Status: Backport
CVE: CVE-2016-1834
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 xmlstring.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xmlstring.c b/xmlstring.c
index b89c9e9..00287d4 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
         return(xmlStrndup(add, len));
 
     size = xmlStrlen(cur);
+    if (size < 0)
+        return(NULL);
     ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
         xmlErrMemory(NULL, NULL);
@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
     int size;
     xmlChar *ret;
 
-    if (len < 0)
+    if (len < 0) {
         len = xmlStrlen(str2);
+        if (len < 0)
+            return(NULL);
+    }
     if ((str2 == NULL) || (len == 0))
         return(xmlStrdup(str1));
     if (str1 == NULL)
         return(xmlStrndup(str2, len));
 
     size = xmlStrlen(str1);
+    if (size < 0)
+        return(NULL);
     ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
         xmlErrMemory(NULL, NULL);
-- 
2.3.5