Attempt to address libxml crash.

BUG=129930
Review URL: https://chromiumcodereview.appspot.com/10458051

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@142822 0039d316-1c4b-4281-b951-d872f2087c98

diff --git a/third_party/libxml/README.chromium b/third_party/libxml/README.chromium
index f6a1e2e..0292550 100644 (file)
--- a/third_party/libxml/README.chromium
+++ b/third_party/libxml/README.chromium
@@ -25,6 +25,7 @@ Modifications:
 - Merge clang warning fix http://git.gnome.org/browse/libxml2/commit/?id=aae48e64dfbf2b46b157a4c1857e30645116388f
 - Add a fix for proper escaping of xpointer expressions, commit upstream is pending.
 - Add helper classes in chromium/libxml_utils.cc and chromium/include/libxml/libxml_utils.h.
+- Add a tweak to limit problems caused by excessive strings and buffers.
 
 To import a new snapshot of libxml:
 

diff --git a/third_party/libxml/src/globals.c b/third_party/libxml/src/globals.c
index 69002f0..b369346 100644 (file)
--- a/third_party/libxml/src/globals.c
+++ b/third_party/libxml/src/globals.c
@@ -86,6 +86,25 @@ xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) xmlMemMalloc;
 xmlReallocFunc xmlRealloc = (xmlReallocFunc) xmlMemRealloc;
 xmlStrdupFunc xmlMemStrdup = (xmlStrdupFunc) xmlMemoryStrdup;
 #else
+
+#define MAX_LIBXML_MALLOC (1024*1024*512)
+
+static void* size_checked_malloc(size_t size) {
+  if (size > MAX_LIBXML_MALLOC) {
+    *(volatile char*)0 = '\0';
+    return NULL;
+  }
+  return malloc(size);
+}
+
+static void* size_checked_realloc(void* ptr, size_t size) {
+  if (size > MAX_LIBXML_MALLOC) {
+    *(volatile char*)0 = '\0';
+    return NULL;
+  }
+  return realloc(ptr, size);
+}
+
 /**
  * xmlFree:
  * @mem: an already allocated block of memory
@@ -101,7 +120,7 @@ xmlFreeFunc xmlFree = (xmlFreeFunc) free;
  *
  * Returns a pointer to the newly allocated block or NULL in case of error
  */
-xmlMallocFunc xmlMalloc = (xmlMallocFunc) malloc;
+xmlMallocFunc xmlMalloc = (xmlMallocFunc) size_checked_malloc;
 /**
  * xmlMallocAtomic:
  * @size:  the size requested in bytes
@@ -112,7 +131,7 @@ xmlMallocFunc xmlMalloc = (xmlMallocFunc) malloc;
  *
  * Returns a pointer to the newly allocated block or NULL in case of error
  */
-xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) malloc;
+xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) size_checked_malloc;
 /**
  * xmlRealloc:
  * @mem: an already allocated block of memory
@@ -122,7 +141,7 @@ xmlMallocFunc xmlMallocAtomic = (xmlMallocFunc) malloc;
  *
  * Returns a pointer to the newly reallocated block or NULL in case of error
  */
-xmlReallocFunc xmlRealloc = (xmlReallocFunc) realloc;
+xmlReallocFunc xmlRealloc = (xmlReallocFunc) size_checked_realloc;
 /**
  * xmlMemStrdup:
  * @str: a zero terminated string