Index: /trunk/src/libs/libxml2-2.6.31/entities.c =================================================================== --- /trunk/src/libs/libxml2-2.6.31/entities.c (revision 44083) +++ /trunk/src/libs/libxml2-2.6.31/entities.c (revision 44084) @@ -473,11 +473,11 @@ */ #define growBufferReentrant() { \ - buffer_size *= 2; \ - buffer = (xmlChar *) \ - xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ - if (buffer == NULL) { \ - xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ - return(NULL); \ - } \ + xmlChar *tmp; \ + size_t new_size = buffer_size * 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ + buffer_size = new_size; \ } @@ -500,5 +500,5 @@ xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; int html = 0; @@ -519,6 +519,6 @@ while (*cur != '\0') { - if (out - buffer > buffer_size - 100) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 100 > buffer_size) { growBufferReentrant(); @@ -637,4 +637,9 @@ *out++ = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); + xmlFree(buffer); + return(NULL); } @@ -654,5 +659,5 @@ xmlChar *buffer = NULL; xmlChar *out = NULL; - int buffer_size = 0; + size_t buffer_size = 0; if (input == NULL) return(NULL); @@ -669,6 +674,6 @@ while (*cur != '\0') { - if (out - buffer > buffer_size - 10) { - int indx = out - buffer; + size_t indx = out - buffer; + if (indx + 10 > buffer_size) { growBufferReentrant(); @@ -719,4 +724,9 @@ *out++ = 0; return(buffer); + +mem_error: + xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); + xmlFree(buffer); + return(NULL); } Index: /trunk/src/libs/libxml2-2.6.31/parser.c =================================================================== --- /trunk/src/libs/libxml2-2.6.31/parser.c (revision 44083) +++ /trunk/src/libs/libxml2-2.6.31/parser.c (revision 44084) @@ -41,4 +41,5 @@ #include +#include #include #include @@ -110,8 +111,8 @@ */ static int -xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, +xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, xmlEntityPtr ent) { - unsigned long consumed = 0; + size_t consumed = 0; if (ctxt == NULL) @@ -2270,10 +2271,10 @@ #define growBuffer(buffer, n) { \ xmlChar *tmp; \ - buffer##_size *= 2; \ - buffer##_size += n; \ - tmp = (xmlChar *) \ - xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ + size_t new_size = buffer##_size * 2 + n; \ + if (new_size < buffer##_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ if (tmp == NULL) goto mem_error; \ buffer = tmp; \ + buffer##_size = new_size; \ } @@ -2301,5 +2302,6 @@ int what, xmlChar end, xmlChar end2, xmlChar end3) { xmlChar *buffer = NULL; - int buffer_size = 0; + size_t buffer_size = 0; + size_t nbchars = 0; xmlChar *current = NULL; @@ -2307,5 +2309,4 @@ xmlEntityPtr ent; int c,l; - int nbchars = 0; if ((ctxt == NULL) || (str == NULL) || (len < 0)) @@ -2322,5 +2323,5 @@ */ buffer_size = XML_PARSER_BIG_BUFFER_SIZE; - buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); + buffer = (xmlChar *) xmlMallocAtomic(buffer_size); if (buffer == NULL) goto mem_error; @@ -2342,5 +2343,5 @@ COPY_BUF(0,buffer,nbchars,val); } - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -2359,5 +2360,5 @@ if (ent->content != NULL) { COPY_BUF(0,buffer,nbchars,ent->content[0]); - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -2377,6 +2378,5 @@ while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) { xmlFree(rep); @@ -2393,5 +2393,5 @@ buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { + if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } @@ -2420,6 +2420,5 @@ while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) { xmlFree(rep); @@ -2435,6 +2434,6 @@ COPY_BUF(l,buffer,nbchars,c); str += l; - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } @@ -3195,6 +3194,6 @@ xmlChar limit = 0; xmlChar *buf = NULL; - int len = 0; - int buf_size = 0; + size_t len = 0; + size_t buf_size = 0; int c, l, in_space = 0; xmlChar *current = NULL; @@ -3218,5 +3217,5 @@ */ buf_size = XML_PARSER_BUFFER_SIZE; - buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); + buf = (xmlChar *) xmlMallocAtomic(buf_size); if (buf == NULL) goto mem_error; @@ -3235,5 +3234,5 @@ if (val == '&') { if (ctxt->replaceEntities) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3244,5 +3243,5 @@ * called by the attribute() function in SAX.c */ - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3254,5 +3253,5 @@ } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3266,5 +3265,5 @@ if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3291,5 +3290,5 @@ while (*current != 0) { /* non input consuming */ buf[len++] = *current++; - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3298,5 +3297,5 @@ } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3325,5 +3324,5 @@ */ buf[len++] = '&'; - while (len > buf_size - i - 10) { + while (len + i + 10 > buf_size) { growBuffer(buf, i + 10); } @@ -3338,5 +3337,5 @@ if ((!normalize) || (!in_space)) { COPY_BUF(l,buf,len,0x20); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3347,5 +3346,5 @@ in_space = 0; COPY_BUF(l,buf,len,c); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } @@ -3357,5 +3356,5 @@ } if ((in_space) && (normalize)) { - while (buf[len - 1] == 0x20) len--; + while ((len > 0) && (buf[len - 1] == 0x20)) len--; } buf[len] = 0; @@ -3372,5 +3371,16 @@ } else NEXT; - if (attlen != NULL) *attlen = len; + + /* + * There we potentially risk an overflow, don't allow attribute value of + * lenght more than INT_MAX it is a very reasonnable assumption ! + */ + if (len >= INT_MAX) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue lenght too long\n"); + goto mem_error; + } + + if (attlen != NULL) *attlen = (int) len; return(buf);