Index: libxml2-2.7.2/SAX2.c =================================================================== --- libxml2-2.7.2.orig/SAX2.c +++ libxml2-2.7.2/SAX2.c @@ -11,6 +11,7 @@ #include "libxml.h" #include #include +#include #include #include #include @@ -26,6 +27,11 @@ #include #include +/* Define SIZE_T_MAX unless defined through . */ +#ifndef SIZE_T_MAX +# define SIZE_T_MAX ((size_t)-1) +#endif /* !SIZE_T_MAX */ + /* #define DEBUG_SAX2 */ /* #define DEBUG_SAX2_TREE */ @@ -2455,9 +2461,14 @@ xmlSAX2Characters(void *ctx, const xmlCh (xmlDictOwns(ctxt->dict, lastChild->content))) { lastChild->content = xmlStrdup(lastChild->content); } + if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || + (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); + return; + } if (ctxt->nodelen + len >= ctxt->nodemem) { xmlChar *newbuf; - int size; + size_t size; size = ctxt->nodemem + len; size *= 2;