dcb4e88258a8beffaa2dcade93268c868c5d1dc2 - chromium/src/third_party/libxml

commit: dcb4e88258a8beffaa2dcade93268c868c5d1dc2
[log]
author: Andrew Paseltiner <apaseltiner@chromium.org>
Mon Apr 27 18:26:17 2026
committer: Copybara-Service <copybara-worker@google.com>
Mon Apr 27 18:42:11 2026
tree: 0a1cc172c442d570552cc2e30ccf87d2fc8a5f92
parent: c8cffa7b9d00ca19264e99702b949f0a068ceea0 [diff]

Fix integer truncation in libxml2 xmlEscapeText

Changing newSize from int to size_t prevents a 32-bit signed integer
truncation that could lead to an undersized allocation and a subsequent
heap-buffer-overflow.

A regression test was manually verified under ASAN to detect the bug (it
triggers a heap-buffer-overflow without the fix and passes with it).
However, this test is not included in the commit as it requires a ~2GB
allocation which could cause flakiness or OOMs on CQ bots with limited
memory.

Fixed: 506388321
Change-Id: Ic46cccfbeaad277bf38413901be5357801abd6e6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7794884
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1621216}
NOKEYCHECK=True
GitOrigin-RevId: 240a66356280ba79aabb6dbe1d27e1b273b3750f

README.chromium[diff]
chromium/fix-xmlEscapeText-integer-overflow.patch[Added - diff]
chromium/roll.py[diff]
src/xmlIO.c[diff]

4 files changed

tree: 0a1cc172c442d570552cc2e30ccf87d2fc8a5f92