From: Michael Schroeder <mls@suse.de>
Date: Wed, 6 May 2026 14:06:25 +0000 (+0200)
Subject: solv_xmlparser: truncate oversized element content
X-Git-Tag: 0.7.38~12
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=7439b0dc89d4c8cf669d6fb06cdb02a3919bbe8a;p=thirdparty%2Flibsolv.git

solv_xmlparser: truncate oversized element content
---

diff --git a/ext/solv_xmlparser.c b/ext/solv_xmlparser.c
index 385a23d2..07920653 100644
--- a/ext/solv_xmlparser.c
+++ b/ext/solv_xmlparser.c
@@ -30,10 +30,10 @@ add_contentspace(struct solv_xmlparser *xmlp, int l)
 {
   l += xmlp->lcontent + 1;	/* plus room for trailing zero */
   if (l > xmlp->acontent)
-    {    
+    {
       xmlp->acontent = l + 256; 
       xmlp->content = solv_realloc(xmlp->content, xmlp->acontent);
-    }    
+    }
 }
 
 
@@ -47,8 +47,10 @@ character_data(void *userData, const XML_Char *s, int len)
 {
   struct solv_xmlparser *xmlp = userData;
 
-  if (!xmlp->docontent || !len)
+  if (!xmlp->docontent || len <= 0)
     return;
+  if ((unsigned int)xmlp->lcontent + (unsigned int)len >= 0x40000000U)
+    return;	/* hey! just ignore for now */
   add_contentspace(xmlp, len);
   memcpy(xmlp->content + xmlp->lcontent, s, len);
   xmlp->lcontent += len; 
@@ -379,10 +381,12 @@ solv_xmlparser_contentspace(struct solv_xmlparser *xmlp, int l)
 {
   xmlp->lcontent = 0;
   if (l > xmlp->acontent)
-    {    
+    {
+      if ((unsigned int)l >= 0x40000000U)
+	solv_oom(0, l);
       xmlp->acontent = l + 256; 
       xmlp->content = solv_realloc(xmlp->content, xmlp->acontent);
-    }    
+    }
   return xmlp->content;
 }