From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Mon, 19 Aug 2024 22:26:07 +0200 Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer References: CVE-2024-45490 References: bsc#1230036 Upstream: Backport from upstream Reported by TaiYou --- expat/lib/xmlparse.c | 6 ++++++ 1 file changed, 6 insertions(+) --- firefox-128.2.0/parser/expat/lib/xmlparse.c +++ firefox-128.2.0_new/parser/expat/lib/xmlparse.c @@ -1978,6 +1978,12 @@ if (parser == NULL) return XML_STATUS_ERROR; + + if (len < 0) { + parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; + return XML_STATUS_ERROR; + } + switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED;