solv_xmlparser: truncate oversized element content

diff --git a/ext/solv_xmlparser.c b/ext/solv_xmlparser.c
index 385a23d21aeec06214736e1fc56b083417a3a6d1..0792065386a9e34a8dd7dbbbb77fab6808a07db5 100644 (file)
--- a/ext/solv_xmlparser.c
+++ b/ext/solv_xmlparser.c
@@ -30,10 +30,10 @@ add_contentspace(struct solv_xmlparser *xmlp, int l)
 {
   l += xmlp->lcontent + 1;     /* plus room for trailing zero */
   if (l > xmlp->acontent)
-    {    
+    {
       xmlp->acontent = l + 256; 
       xmlp->content = solv_realloc(xmlp->content, xmlp->acontent);
-    }    
+    }
 }
 
 
@@ -47,8 +47,10 @@ character_data(void *userData, const XML_Char *s, int len)
 {
   struct solv_xmlparser *xmlp = userData;
 
-  if (!xmlp->docontent || !len)
+  if (!xmlp->docontent || len <= 0)
     return;
+  if ((unsigned int)xmlp->lcontent + (unsigned int)len >= 0x40000000U)
+    return;    /* hey! just ignore for now */
   add_contentspace(xmlp, len);
   memcpy(xmlp->content + xmlp->lcontent, s, len);
   xmlp->lcontent += len; 
@@ -379,10 +381,12 @@ solv_xmlparser_contentspace(struct solv_xmlparser *xmlp, int l)
 {
   xmlp->lcontent = 0;
   if (l > xmlp->acontent)
-    {    
+    {
+      if ((unsigned int)l >= 0x40000000U)
+       solv_oom(0, l);
       xmlp->acontent = l + 256; 
       xmlp->content = solv_realloc(xmlp->content, xmlp->acontent);
-    }    
+    }
   return xmlp->content;
 }