| OLD | NEW |
|---|
| 1 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd | 1 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd |
| 2 See the file COPYING for copying permission. | 2 See the file COPYING for copying permission. |
| 3 */ | 3 */ |
| 4 | 4 |
| 5 #include <stddef.h> | 5 #include <stddef.h> |
| 6 #include <string.h> /* memset(), memcpy() */ | 6 #include <string.h> /* memset(), memcpy() */ |
| 7 #include <assert.h> | 7 #include <assert.h> |
| 8 #include <limits.h> /* UINT_MAX */ | 8 #include <limits.h> /* UINT_MAX */ |
| 9 #include <time.h> /* time() */ | 9 #include <time.h> /* time() */ |
| 10 | 10 |
| (...skipping 1660 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1671 } | 1671 } |
| 1672 | 1672 |
| 1673 XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); | 1673 XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); |
| 1674 positionPtr = bufferPtr; | 1674 positionPtr = bufferPtr; |
| 1675 return result; | 1675 return result; |
| 1676 } | 1676 } |
| 1677 | 1677 |
| 1678 void * XMLCALL | 1678 void * XMLCALL |
| 1679 XML_GetBuffer(XML_Parser parser, int len) | 1679 XML_GetBuffer(XML_Parser parser, int len) |
| 1680 { | 1680 { |
| 1681 /* BEGIN MOZILLA CHANGE (sanity check len) */ |
| 1682 if (len < 0) { |
| 1683 errorCode = XML_ERROR_NO_MEMORY; |
| 1684 return NULL; |
| 1685 } |
| 1686 /* END MOZILLA CHANGE */ |
| 1681 switch (ps_parsing) { | 1687 switch (ps_parsing) { |
| 1682 case XML_SUSPENDED: | 1688 case XML_SUSPENDED: |
| 1683 errorCode = XML_ERROR_SUSPENDED; | 1689 errorCode = XML_ERROR_SUSPENDED; |
| 1684 return NULL; | 1690 return NULL; |
| 1685 case XML_FINISHED: | 1691 case XML_FINISHED: |
| 1686 errorCode = XML_ERROR_FINISHED; | 1692 errorCode = XML_ERROR_FINISHED; |
| 1687 return NULL; | 1693 return NULL; |
| 1688 default: ; | 1694 default: ; |
| 1689 } | 1695 } |
| 1690 | 1696 |
| 1691 if (len > bufferLim - bufferEnd) { | 1697 if (len > bufferLim - bufferEnd) { |
| 1692 /* FIXME avoid integer overflow */ | |
| 1693 int neededSize = len + (int)(bufferEnd - bufferPtr); | 1698 int neededSize = len + (int)(bufferEnd - bufferPtr); |
| 1699 /* BEGIN MOZILLA CHANGE (sanity check neededSize) */ |
| 1700 if (neededSize < 0) { |
| 1701 errorCode = XML_ERROR_NO_MEMORY; |
| 1702 return NULL; |
| 1703 } |
| 1704 /* END MOZILLA CHANGE */ |
| 1694 #ifdef XML_CONTEXT_BYTES | 1705 #ifdef XML_CONTEXT_BYTES |
| 1695 int keep = (int)(bufferPtr - buffer); | 1706 int keep = (int)(bufferPtr - buffer); |
| 1696 | 1707 |
| 1697 if (keep > XML_CONTEXT_BYTES) | 1708 if (keep > XML_CONTEXT_BYTES) |
| 1698 keep = XML_CONTEXT_BYTES; | 1709 keep = XML_CONTEXT_BYTES; |
| 1699 neededSize += keep; | 1710 neededSize += keep; |
| 1700 #endif /* defined XML_CONTEXT_BYTES */ | 1711 #endif /* defined XML_CONTEXT_BYTES */ |
| 1701 if (neededSize <= bufferLim - buffer) { | 1712 if (neededSize <= bufferLim - buffer) { |
| 1702 #ifdef XML_CONTEXT_BYTES | 1713 #ifdef XML_CONTEXT_BYTES |
| 1703 if (keep < bufferPtr - buffer) { | 1714 if (keep < bufferPtr - buffer) { |
| 1704 int offset = (int)(bufferPtr - buffer) - keep; | 1715 int offset = (int)(bufferPtr - buffer) - keep; |
| 1705 memmove(buffer, &buffer[offset], bufferEnd - bufferPtr + keep); | 1716 memmove(buffer, &buffer[offset], bufferEnd - bufferPtr + keep); |
| 1706 bufferEnd -= offset; | 1717 bufferEnd -= offset; |
| 1707 bufferPtr -= offset; | 1718 bufferPtr -= offset; |
| 1708 } | 1719 } |
| 1709 #else | 1720 #else |
| 1710 memmove(buffer, bufferPtr, bufferEnd - bufferPtr); | 1721 memmove(buffer, bufferPtr, bufferEnd - bufferPtr); |
| 1711 bufferEnd = buffer + (bufferEnd - bufferPtr); | 1722 bufferEnd = buffer + (bufferEnd - bufferPtr); |
| 1712 bufferPtr = buffer; | 1723 bufferPtr = buffer; |
| 1713 #endif /* not defined XML_CONTEXT_BYTES */ | 1724 #endif /* not defined XML_CONTEXT_BYTES */ |
| 1714 } | 1725 } |
| 1715 else { | 1726 else { |
| 1716 char *newBuf; | 1727 char *newBuf; |
| 1717 int bufferSize = (int)(bufferLim - bufferPtr); | 1728 int bufferSize = (int)(bufferLim - bufferPtr); |
| 1718 if (bufferSize == 0) | 1729 if (bufferSize == 0) |
| 1719 bufferSize = INIT_BUFFER_SIZE; | 1730 bufferSize = INIT_BUFFER_SIZE; |
| 1720 do { | 1731 do { |
| 1721 bufferSize *= 2; | 1732 bufferSize *= 2; |
| 1722 } while (bufferSize < neededSize); | 1733 /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ |
| 1734 } while (bufferSize < neededSize && bufferSize > 0); |
| 1735 /* END MOZILLA CHANGE */ |
| 1736 /* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ |
| 1737 if (bufferSize <= 0) { |
| 1738 errorCode = XML_ERROR_NO_MEMORY; |
| 1739 return NULL; |
| 1740 } |
| 1741 /* END MOZILLA CHANGE */ |
| 1723 newBuf = (char *)MALLOC(bufferSize); | 1742 newBuf = (char *)MALLOC(bufferSize); |
| 1724 if (newBuf == 0) { | 1743 if (newBuf == 0) { |
| 1725 errorCode = XML_ERROR_NO_MEMORY; | 1744 errorCode = XML_ERROR_NO_MEMORY; |
| 1726 return NULL; | 1745 return NULL; |
| 1727 } | 1746 } |
| 1728 bufferLim = newBuf + bufferSize; | 1747 bufferLim = newBuf + bufferSize; |
| 1729 #ifdef XML_CONTEXT_BYTES | 1748 #ifdef XML_CONTEXT_BYTES |
| 1730 if (bufferPtr) { | 1749 if (bufferPtr) { |
| 1731 int keep = (int)(bufferPtr - buffer); | 1750 int keep = (int)(bufferPtr - buffer); |
| 1732 if (keep > XML_CONTEXT_BYTES) | 1751 if (keep > XML_CONTEXT_BYTES) |
| (...skipping 4661 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6394 return NULL; | 6413 return NULL; |
| 6395 if (ret->name != name) | 6414 if (ret->name != name) |
| 6396 poolDiscard(&dtd->pool); | 6415 poolDiscard(&dtd->pool); |
| 6397 else { | 6416 else { |
| 6398 poolFinish(&dtd->pool); | 6417 poolFinish(&dtd->pool); |
| 6399 if (!setElementTypePrefix(parser, ret)) | 6418 if (!setElementTypePrefix(parser, ret)) |
| 6400 return NULL; | 6419 return NULL; |
| 6401 } | 6420 } |
| 6402 return ret; | 6421 return ret; |
| 6403 } | 6422 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1151263010:
Apply a patch from Mozilla to prevent an integer overflow in expat. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master