[Backport] Security bug 1269999

Manual update of libxml following upstream patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3422595:
Roll libxml from dea91c97 to eab86522

2022-01-31 wellnhofer@aevum.de Make xmllint return an error if arguments
are missing
2022-01-28 wellnhofer@aevum.de Avoid potential integer overflow in
xmlstring.c
2021-07-07 ddkilzer@apple.com xmlAddChild() and xmlAddNextSibling() may
not attach their second argument
2022-01-25 wellnhofer@aevum.de Run CI tests with UBSan
implicit-conversion checks
2022-01-25 wellnhofer@aevum.de Fix casting of line numbers in SAX2.c
2022-01-25 wellnhofer@aevum.de Fix integer conversion warnings in hash.c
2022-01-25 wellnhofer@aevum.de Add explicit casts in runtest.c
2022-01-25 wellnhofer@aevum.de Fix integer conversion warning in
xmlIconvWrapper
2022-01-25 wellnhofer@aevum.de Add suffix to unsigned constant in
xmlmemory.c
2022-01-25 wellnhofer@aevum.de Add explicit casts in testchar.c
2022-01-25 wellnhofer@aevum.de Fix integer conversion warnings in
xmlstring.c
2022-01-25 wellnhofer@aevum.de Add explicit cast in xmlURIUnescapeString
2022-01-25 wellnhofer@aevum.de Fix handling of ctxt->base in
xmlXPtrEvalXPtrPart
2022-01-20 wellnhofer@aevum.de Remove wrong tarname from AC_INIT
2022-01-17 wellnhofer@aevum.de Remove old devhelp format
2022-01-16 wellnhofer@aevum.de Fix regression with PEs in external DTD
2022-01-16 wellnhofer@aevum.de Fix xmllint --maxmem
2021-11-03 huangduirong@huawei.com Fix
Null-deref-in-xmlSchemaGetComponentTargetNs
2022-01-16 wellnhofer@aevum.de Fix libxml2.doap
2021-08-26 finnbarber@protonmail.com Added regression tests for
xmlReadFd() and htmlReadFd()
2021-07-27 finnbarber@protonmail.com Fix htmlReadFd, which was using a
mix of xml and html context functions
2022-01-16 wellnhofer@aevum.de Fix memory leak in xmlXPathCompNodeTest
2021-07-22 fanchunwei@src.gnome.org setup.py.in: Try to import
setuptools
2021-07-22 fanchunwei@src.gnome.org Python distutils: Make DLL packaging
more flexible
2021-07-22 fanchunwei@src.gnome.org tstmem.py: Try importing from
libxmlmods.libxml2mod if needed
2021-03-30 fanchunwei@src.gnome.org python: Port python 3.x module to
Windows
2021-11-03 mrazavi64@gmail.com Fix random dropping of characters on
dumping ASCII encoded XML
2021-10-14 kjellahlstedt@gmail.com Update URL for libxml++ C++ binding
2022-01-16 wellnhofer@aevum.de Fix null pointer deref in
xmlStringGetNodeList
2021-08-06 liyulin@pku.edu.cn move current position before possible
calling of ctxt->sax->characters.
2021-07-29 mattia@mapreri.org Correctly install the HTML examples into
their subdirectory.
2021-07-29 mattia@mapreri.org Refactor the settings of $docdir
2021-07-26 ben.boeckel@kitware.com configure: remove unused checks for
functions
2021-07-26 ben.boeckel@kitware.com configure: remove unused checks for
libraries
2021-07-26 ben.boeckel@kitware.com cmake: remove unused checks
2021-07-26 ben.boeckel@kitware.com configure: remove unused checks for
headers
2021-07-26 ben.boeckel@kitware.com cmake: fix `ATTRIBUTE_DESTRUCTOR`
definition
2021-07-23 ebassi@gnome.org Generate devhelp2 index file
2021-07-14 amigadave@amigadave.com Remove duplicated code in xmlcatalog
2021-07-14 amigadave@amigadave.com Fix leak in
__xmlOutputBufferCreateFilename
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlRelaxNGNewDocParserCtxt
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlRelaxNGParseData
2021-07-14 amigadave@amigadave.com Fix memory leak in
libxml_C14NDocSaveTo
2021-07-14 amigadave@amigadave.com Fix memory leak in libxml_saveNodeTo
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlNewInputFromFile
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlCreateIOParserCtxt
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlParseSGMLCatalog
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlParseCatalogFile
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlSAX2AttributeDecl
2021-07-14 amigadave@amigadave.com Fix memory leak in
xmlFreeParserInputBuffer
2021-07-07 ddkilzer@apple.com Fix parse failure when 4-byte character in
UTF-16 BE is split across a chunk
2021-07-05 jtojnar@gmail.com man: Mention XML_CATALOG_FILES is
space-separated
2021-07-05 rainer.canavan@avenga.com add documentaiton for xmllint exit
code 10
2021-06-28 sam@gentoo.org python/Makefile.am: use *_LIBADD, not
*_LDFLAGS for LIBS
2022-01-16 wellnhofer@aevum.de Fix check for libtool in autogen.sh
2022-01-16 wellnhofer@aevum.de Add myself to maintainers
2022-01-15 wellnhofer@aevum.de Revert "Make schema validation fail with
multiple top-level elements"
2022-01-10 wellnhofer@aevum.de Different approach to fix quadratic
behavior in HTML push parser
2022-01-10 wellnhofer@aevum.de Fix regression when parsing invalid HTML
tags in push mode
2022-01-10 wellnhofer@aevum.de Fix regression parsing public IDs
literals in HTML

Fixed: 1269999
Bug: 934413
Change-Id: I602a086b91d514cb80859237c48729d4c10cf83e
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#965736}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 39 insertions, 34 deletions

diff --git a/chromium/third_party/libxml/src/xmlstring.c b/chromium/third_party/libxml/src/xmlstring.c
index 62d3053b482..245c75161b4 100644
--- a/chromium/third_party/libxml/src/xmlstring.c
+++ b/chromium/third_party/libxml/src/xmlstring.c
@@ -18,6 +18,7 @@
 
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <libxml/xmlmemory.h>
 #include <libxml/parserInternals.h>
 #include <libxml/xmlstring.h>
@@ -42,7 +43,7 @@ xmlStrndup(const xmlChar *cur, int len) {
     xmlChar *ret;
 
     if ((cur == NULL) || (len < 0)) return(NULL);
-    ret = (xmlChar *) xmlMallocAtomic((len + 1) * sizeof(xmlChar));
+    ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
         xmlErrMemory(NULL, NULL);
         return(NULL);
@@ -87,7 +88,7 @@ xmlCharStrndup(const char *cur, int len) {
     xmlChar *ret;
 
     if ((cur == NULL) || (len < 0)) return(NULL);
-    ret = (xmlChar *) xmlMallocAtomic((len + 1) * sizeof(xmlChar));
+    ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
         xmlErrMemory(NULL, NULL);
         return(NULL);
@@ -423,14 +424,14 @@ xmlStrsub(const xmlChar *str, int start, int len) {
 
 int
 xmlStrlen(const xmlChar *str) {
-    int len = 0;
+    size_t len = 0;
 
     if (str == NULL) return(0);
     while (*str != 0) { /* non input consuming */
         str++;
         len++;
     }
-    return(len);
+    return(len > INT_MAX ? 0 : len);
 }
 
 /**
@@ -460,9 +461,9 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
         return(xmlStrndup(add, len));
 
     size = xmlStrlen(cur);
-    if (size < 0)
+    if ((size < 0) || (size > INT_MAX - len))
         return(NULL);
-    ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
+    ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
         xmlErrMemory(NULL, NULL);
         return(cur);
@@ -500,9 +501,9 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
         return(xmlStrndup(str2, len));
 
     size = xmlStrlen(str1);
-    if (size < 0)
+    if ((size < 0) || (size > INT_MAX - len))
         return(NULL);
-    ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
+    ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
         xmlErrMemory(NULL, NULL);
         return(xmlStrndup(str1, size));
@@ -667,7 +668,7 @@ xmlUTF8Charcmp(const xmlChar *utf1, const xmlChar *utf2) {
  */
 int
 xmlUTF8Strlen(const xmlChar *utf) {
-    int ret = 0;
+    size_t ret = 0;
 
     if (utf == NULL)
         return(-1);
@@ -694,7 +695,7 @@ xmlUTF8Strlen(const xmlChar *utf) {
         }
         ret++;
     }
-    return(ret);
+    return(ret > INT_MAX ? 0 : ret);
 }
 
 /**
@@ -796,26 +797,28 @@ xmlCheckUTF8(const unsigned char *utf)
      *    1110xxxx 10xxxxxx 10xxxxxx                    valid 3-byte
      *    11110xxx 10xxxxxx 10xxxxxx 10xxxxxx           valid 4-byte
      */
-    for (ix = 0; (c = utf[ix]);) {      /* string is 0-terminated */
+    while ((c = utf[0])) {      /* string is 0-terminated */
+        ix = 0;
         if ((c & 0x80) == 0x00) {	/* 1-byte code, starts with 10 */
-            ix++;
+            ix = 1;
 	} else if ((c & 0xe0) == 0xc0) {/* 2-byte code, starts with 110 */
-	    if ((utf[ix+1] & 0xc0 ) != 0x80)
+	    if ((utf[1] & 0xc0 ) != 0x80)
 	        return 0;
-	    ix += 2;
+	    ix = 2;
 	} else if ((c & 0xf0) == 0xe0) {/* 3-byte code, starts with 1110 */
-	    if (((utf[ix+1] & 0xc0) != 0x80) ||
-	        ((utf[ix+2] & 0xc0) != 0x80))
+	    if (((utf[1] & 0xc0) != 0x80) ||
+	        ((utf[2] & 0xc0) != 0x80))
 		    return 0;
-	    ix += 3;
+	    ix = 3;
 	} else if ((c & 0xf8) == 0xf0) {/* 4-byte code, starts with 11110 */
-	    if (((utf[ix+1] & 0xc0) != 0x80) ||
-	        ((utf[ix+2] & 0xc0) != 0x80) ||
-		((utf[ix+3] & 0xc0) != 0x80))
+	    if (((utf[1] & 0xc0) != 0x80) ||
+	        ((utf[2] & 0xc0) != 0x80) ||
+		((utf[3] & 0xc0) != 0x80))
 		    return 0;
-	    ix += 4;
+	    ix = 4;
 	} else				/* unknown encoding */
 	    return 0;
+        utf += ix;
       }
       return(1);
 }
@@ -834,8 +837,9 @@ xmlCheckUTF8(const unsigned char *utf)
 
 int
 xmlUTF8Strsize(const xmlChar *utf, int len) {
-    const xmlChar   *ptr=utf;
-    xmlChar         ch;
+    const xmlChar *ptr=utf;
+    int ch;
+    size_t ret;
 
     if (utf == NULL)
         return(0);
@@ -857,7 +861,8 @@ xmlUTF8Strsize(const xmlChar *utf, int len) {
             }
         }
     }
-    return (ptr - utf);
+    ret = ptr - utf;
+    return (ret > INT_MAX ? 0 : ret);
 }
 
 /**
@@ -876,11 +881,8 @@ xmlUTF8Strndup(const xmlChar *utf, int len) {
 
     if ((utf == NULL) || (len < 0)) return(NULL);
     i = xmlUTF8Strsize(utf, len);
-    ret = (xmlChar *) xmlMallocAtomic((i + 1) * sizeof(xmlChar));
+    ret = (xmlChar *) xmlMallocAtomic(((size_t) i + 1) * sizeof(xmlChar));
     if (ret == NULL) {
-        xmlGenericError(xmlGenericErrorContext,
-                "malloc of %ld byte failed\n",
-                (len + 1) * (long)sizeof(xmlChar));
         return(NULL);
     }
     memcpy(ret, utf, i * sizeof(xmlChar));
@@ -900,7 +902,7 @@ xmlUTF8Strndup(const xmlChar *utf, int len) {
  */
 const xmlChar *
 xmlUTF8Strpos(const xmlChar *utf, int pos) {
-    xmlChar ch;
+    int ch;
 
     if (utf == NULL) return(NULL);
     if (pos < 0)
@@ -932,14 +934,15 @@ xmlUTF8Strpos(const xmlChar *utf, int pos) {
  */
 int
 xmlUTF8Strloc(const xmlChar *utf, const xmlChar *utfchar) {
-    int i, size;
-    xmlChar ch;
+    size_t i;
+    int size;
+    int ch;
 
     if (utf==NULL || utfchar==NULL) return -1;
     size = xmlUTF8Strsize(utfchar, 1);
         for(i=0; (ch=*utf) != 0; i++) {
             if (xmlStrncmp(utf, utfchar, size)==0)
-                return(i);
+                return(i > INT_MAX ? 0 : i);
             utf++;
             if ( ch & 0x80 ) {
                 /* if not simple ascii, verify proper format */
@@ -969,8 +972,8 @@ xmlUTF8Strloc(const xmlChar *utf, const xmlChar *utfchar) {
 
 xmlChar *
 xmlUTF8Strsub(const xmlChar *utf, int start, int len) {
-    int            i;
-    xmlChar ch;
+    int i;
+    int ch;
 
     if (utf == NULL) return(NULL);
     if (start < 0) return(NULL);
@@ -1026,6 +1029,8 @@ xmlEscapeFormatString(xmlChar **msg)
     if (count == 0)
         return(*msg);
 
+    if ((count > INT_MAX) || (msgLen > INT_MAX - count))
+        return(NULL);
     resultLen = msgLen + count + 1;
     result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
     if (result == NULL) {