Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(511)

Side by Side Diff: third_party/expat/files/lib/xmlparse.c

Issue 1151263010: Apply a patch from Mozilla to prevent an integer overflow in expat. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix README typo Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd 1 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
2 See the file COPYING for copying permission. 2 See the file COPYING for copying permission.
3 */ 3 */
4 4
5 #include <stddef.h> 5 #include <stddef.h>
6 #include <string.h> /* memset(), memcpy() */ 6 #include <string.h> /* memset(), memcpy() */
7 #include <assert.h> 7 #include <assert.h>
8 #include <limits.h> /* UINT_MAX */ 8 #include <limits.h> /* UINT_MAX */
9 #include <time.h> /* time() */ 9 #include <time.h> /* time() */
10 10
(...skipping 1660 matching lines...) Expand 10 before | Expand all | Expand 10 after
1671 } 1671 }
1672 1672
1673 XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); 1673 XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
1674 positionPtr = bufferPtr; 1674 positionPtr = bufferPtr;
1675 return result; 1675 return result;
1676 } 1676 }
1677 1677
1678 void * XMLCALL 1678 void * XMLCALL
1679 XML_GetBuffer(XML_Parser parser, int len) 1679 XML_GetBuffer(XML_Parser parser, int len)
1680 { 1680 {
1681 /* BEGIN MOZILLA CHANGE (sanity check len) */
1682 if (len < 0) {
1683 errorCode = XML_ERROR_NO_MEMORY;
1684 return NULL;
1685 }
1686 /* END MOZILLA CHANGE */
1681 switch (ps_parsing) { 1687 switch (ps_parsing) {
1682 case XML_SUSPENDED: 1688 case XML_SUSPENDED:
1683 errorCode = XML_ERROR_SUSPENDED; 1689 errorCode = XML_ERROR_SUSPENDED;
1684 return NULL; 1690 return NULL;
1685 case XML_FINISHED: 1691 case XML_FINISHED:
1686 errorCode = XML_ERROR_FINISHED; 1692 errorCode = XML_ERROR_FINISHED;
1687 return NULL; 1693 return NULL;
1688 default: ; 1694 default: ;
1689 } 1695 }
1690 1696
1691 if (len > bufferLim - bufferEnd) { 1697 if (len > bufferLim - bufferEnd) {
1692 /* FIXME avoid integer overflow */
1693 int neededSize = len + (int)(bufferEnd - bufferPtr); 1698 int neededSize = len + (int)(bufferEnd - bufferPtr);
1699 /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
1700 if (neededSize < 0) {
1701 errorCode = XML_ERROR_NO_MEMORY;
1702 return NULL;
1703 }
1704 /* END MOZILLA CHANGE */
1694 #ifdef XML_CONTEXT_BYTES 1705 #ifdef XML_CONTEXT_BYTES
1695 int keep = (int)(bufferPtr - buffer); 1706 int keep = (int)(bufferPtr - buffer);
1696 1707
1697 if (keep > XML_CONTEXT_BYTES) 1708 if (keep > XML_CONTEXT_BYTES)
1698 keep = XML_CONTEXT_BYTES; 1709 keep = XML_CONTEXT_BYTES;
1699 neededSize += keep; 1710 neededSize += keep;
1700 #endif /* defined XML_CONTEXT_BYTES */ 1711 #endif /* defined XML_CONTEXT_BYTES */
1701 if (neededSize <= bufferLim - buffer) { 1712 if (neededSize <= bufferLim - buffer) {
1702 #ifdef XML_CONTEXT_BYTES 1713 #ifdef XML_CONTEXT_BYTES
1703 if (keep < bufferPtr - buffer) { 1714 if (keep < bufferPtr - buffer) {
1704 int offset = (int)(bufferPtr - buffer) - keep; 1715 int offset = (int)(bufferPtr - buffer) - keep;
1705 memmove(buffer, &buffer[offset], bufferEnd - bufferPtr + keep); 1716 memmove(buffer, &buffer[offset], bufferEnd - bufferPtr + keep);
1706 bufferEnd -= offset; 1717 bufferEnd -= offset;
1707 bufferPtr -= offset; 1718 bufferPtr -= offset;
1708 } 1719 }
1709 #else 1720 #else
1710 memmove(buffer, bufferPtr, bufferEnd - bufferPtr); 1721 memmove(buffer, bufferPtr, bufferEnd - bufferPtr);
1711 bufferEnd = buffer + (bufferEnd - bufferPtr); 1722 bufferEnd = buffer + (bufferEnd - bufferPtr);
1712 bufferPtr = buffer; 1723 bufferPtr = buffer;
1713 #endif /* not defined XML_CONTEXT_BYTES */ 1724 #endif /* not defined XML_CONTEXT_BYTES */
1714 } 1725 }
1715 else { 1726 else {
1716 char *newBuf; 1727 char *newBuf;
1717 int bufferSize = (int)(bufferLim - bufferPtr); 1728 int bufferSize = (int)(bufferLim - bufferPtr);
1718 if (bufferSize == 0) 1729 if (bufferSize == 0)
1719 bufferSize = INIT_BUFFER_SIZE; 1730 bufferSize = INIT_BUFFER_SIZE;
1720 do { 1731 do {
1721 bufferSize *= 2; 1732 bufferSize *= 2;
1722 } while (bufferSize < neededSize); 1733 /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
1734 } while (bufferSize < neededSize && bufferSize > 0);
1735 /* END MOZILLA CHANGE */
1736 /* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
1737 if (bufferSize <= 0) {
1738 errorCode = XML_ERROR_NO_MEMORY;
1739 return NULL;
1740 }
1741 /* END MOZILLA CHANGE */
1723 newBuf = (char *)MALLOC(bufferSize); 1742 newBuf = (char *)MALLOC(bufferSize);
1724 if (newBuf == 0) { 1743 if (newBuf == 0) {
1725 errorCode = XML_ERROR_NO_MEMORY; 1744 errorCode = XML_ERROR_NO_MEMORY;
1726 return NULL; 1745 return NULL;
1727 } 1746 }
1728 bufferLim = newBuf + bufferSize; 1747 bufferLim = newBuf + bufferSize;
1729 #ifdef XML_CONTEXT_BYTES 1748 #ifdef XML_CONTEXT_BYTES
1730 if (bufferPtr) { 1749 if (bufferPtr) {
1731 int keep = (int)(bufferPtr - buffer); 1750 int keep = (int)(bufferPtr - buffer);
1732 if (keep > XML_CONTEXT_BYTES) 1751 if (keep > XML_CONTEXT_BYTES)
(...skipping 4661 matching lines...) Expand 10 before | Expand all | Expand 10 after
6394 return NULL; 6413 return NULL;
6395 if (ret->name != name) 6414 if (ret->name != name)
6396 poolDiscard(&dtd->pool); 6415 poolDiscard(&dtd->pool);
6397 else { 6416 else {
6398 poolFinish(&dtd->pool); 6417 poolFinish(&dtd->pool);
6399 if (!setElementTypePrefix(parser, ret)) 6418 if (!setElementTypePrefix(parser, ret))
6400 return NULL; 6419 return NULL;
6401 } 6420 }
6402 return ret; 6421 return ret;
6403 } 6422 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698