OLD | NEW |
---|---|
1 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd | 1 /* Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd |
2 See the file COPYING for copying permission. | 2 See the file COPYING for copying permission. |
3 */ | 3 */ |
4 | 4 |
5 #include <stddef.h> | 5 #include <stddef.h> |
6 #include <string.h> /* memset(), memcpy() */ | 6 #include <string.h> /* memset(), memcpy() */ |
7 #include <assert.h> | 7 #include <assert.h> |
8 #include <limits.h> /* UINT_MAX */ | 8 #include <limits.h> /* UINT_MAX */ |
9 #include <time.h> /* time() */ | 9 #include <time.h> /* time() */ |
10 | 10 |
(...skipping 1660 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1671 } | 1671 } |
1672 | 1672 |
1673 XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); | 1673 XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); |
1674 positionPtr = bufferPtr; | 1674 positionPtr = bufferPtr; |
1675 return result; | 1675 return result; |
1676 } | 1676 } |
1677 | 1677 |
1678 void * XMLCALL | 1678 void * XMLCALL |
1679 XML_GetBuffer(XML_Parser parser, int len) | 1679 XML_GetBuffer(XML_Parser parser, int len) |
1680 { | 1680 { |
1681 /* BEGIN MOZILLA CHANGE (sanity check len) */ | |
1682 if (len < 0) { | |
1683 errorCode = XML_ERROR_NO_MEMORY; | |
1684 return NULL; | |
1685 } | |
1686 /* END MOZILLA CHANGE */ | |
1681 switch (ps_parsing) { | 1687 switch (ps_parsing) { |
1682 case XML_SUSPENDED: | 1688 case XML_SUSPENDED: |
1683 errorCode = XML_ERROR_SUSPENDED; | 1689 errorCode = XML_ERROR_SUSPENDED; |
1684 return NULL; | 1690 return NULL; |
1685 case XML_FINISHED: | 1691 case XML_FINISHED: |
1686 errorCode = XML_ERROR_FINISHED; | 1692 errorCode = XML_ERROR_FINISHED; |
1687 return NULL; | 1693 return NULL; |
1688 default: ; | 1694 default: ; |
1689 } | 1695 } |
1690 | 1696 |
1691 if (len > bufferLim - bufferEnd) { | 1697 if (len > bufferLim - bufferEnd) { |
1692 /* FIXME avoid integer overflow */ | |
1693 int neededSize = len + (int)(bufferEnd - bufferPtr); | 1698 int neededSize = len + (int)(bufferEnd - bufferPtr); |
wrowe
2015/08/06 18:45:51
Moving the patch below up one line (prior to int n
daniel.gutson
2015/09/01 13:17:04
May I ask why are you using signed types? A size s
| |
1699 /* BEGIN MOZILLA CHANGE (sanity check neededSize) */ | |
1700 if (neededSize < 0) { | |
1701 errorCode = XML_ERROR_NO_MEMORY; | |
1702 return NULL; | |
1703 } | |
1704 /* END MOZILLA CHANGE */ | |
1694 #ifdef XML_CONTEXT_BYTES | 1705 #ifdef XML_CONTEXT_BYTES |
1695 int keep = (int)(bufferPtr - buffer); | 1706 int keep = (int)(bufferPtr - buffer); |
1696 | 1707 |
1697 if (keep > XML_CONTEXT_BYTES) | 1708 if (keep > XML_CONTEXT_BYTES) |
1698 keep = XML_CONTEXT_BYTES; | 1709 keep = XML_CONTEXT_BYTES; |
1699 neededSize += keep; | 1710 neededSize += keep; |
1700 #endif /* defined XML_CONTEXT_BYTES */ | 1711 #endif /* defined XML_CONTEXT_BYTES */ |
1701 if (neededSize <= bufferLim - buffer) { | 1712 if (neededSize <= bufferLim - buffer) { |
1702 #ifdef XML_CONTEXT_BYTES | 1713 #ifdef XML_CONTEXT_BYTES |
1703 if (keep < bufferPtr - buffer) { | 1714 if (keep < bufferPtr - buffer) { |
1704 int offset = (int)(bufferPtr - buffer) - keep; | 1715 int offset = (int)(bufferPtr - buffer) - keep; |
1705 memmove(buffer, &buffer[offset], bufferEnd - bufferPtr + keep); | 1716 memmove(buffer, &buffer[offset], bufferEnd - bufferPtr + keep); |
1706 bufferEnd -= offset; | 1717 bufferEnd -= offset; |
1707 bufferPtr -= offset; | 1718 bufferPtr -= offset; |
1708 } | 1719 } |
1709 #else | 1720 #else |
1710 memmove(buffer, bufferPtr, bufferEnd - bufferPtr); | 1721 memmove(buffer, bufferPtr, bufferEnd - bufferPtr); |
1711 bufferEnd = buffer + (bufferEnd - bufferPtr); | 1722 bufferEnd = buffer + (bufferEnd - bufferPtr); |
1712 bufferPtr = buffer; | 1723 bufferPtr = buffer; |
1713 #endif /* not defined XML_CONTEXT_BYTES */ | 1724 #endif /* not defined XML_CONTEXT_BYTES */ |
1714 } | 1725 } |
1715 else { | 1726 else { |
1716 char *newBuf; | 1727 char *newBuf; |
1717 int bufferSize = (int)(bufferLim - bufferPtr); | 1728 int bufferSize = (int)(bufferLim - bufferPtr); |
1718 if (bufferSize == 0) | 1729 if (bufferSize == 0) |
1719 bufferSize = INIT_BUFFER_SIZE; | 1730 bufferSize = INIT_BUFFER_SIZE; |
1720 do { | 1731 do { |
1721 bufferSize *= 2; | 1732 bufferSize *= 2; |
1722 } while (bufferSize < neededSize); | 1733 /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ |
VZ
2015/07/26 22:35:06
This change doesn't seem to be ideal as it will re
| |
1734 } while (bufferSize < neededSize && bufferSize > 0); | |
1735 /* END MOZILLA CHANGE */ | |
1736 /* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ | |
1737 if (bufferSize <= 0) { | |
1738 errorCode = XML_ERROR_NO_MEMORY; | |
1739 return NULL; | |
1740 } | |
1741 /* END MOZILLA CHANGE */ | |
1723 newBuf = (char *)MALLOC(bufferSize); | 1742 newBuf = (char *)MALLOC(bufferSize); |
1724 if (newBuf == 0) { | 1743 if (newBuf == 0) { |
1725 errorCode = XML_ERROR_NO_MEMORY; | 1744 errorCode = XML_ERROR_NO_MEMORY; |
1726 return NULL; | 1745 return NULL; |
1727 } | 1746 } |
1728 bufferLim = newBuf + bufferSize; | 1747 bufferLim = newBuf + bufferSize; |
1729 #ifdef XML_CONTEXT_BYTES | 1748 #ifdef XML_CONTEXT_BYTES |
1730 if (bufferPtr) { | 1749 if (bufferPtr) { |
1731 int keep = (int)(bufferPtr - buffer); | 1750 int keep = (int)(bufferPtr - buffer); |
1732 if (keep > XML_CONTEXT_BYTES) | 1751 if (keep > XML_CONTEXT_BYTES) |
(...skipping 4661 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
6394 return NULL; | 6413 return NULL; |
6395 if (ret->name != name) | 6414 if (ret->name != name) |
6396 poolDiscard(&dtd->pool); | 6415 poolDiscard(&dtd->pool); |
6397 else { | 6416 else { |
6398 poolFinish(&dtd->pool); | 6417 poolFinish(&dtd->pool); |
6399 if (!setElementTypePrefix(parser, ret)) | 6418 if (!setElementTypePrefix(parser, ret)) |
6400 return NULL; | 6419 return NULL; |
6401 } | 6420 } |
6402 return ret; | 6421 return ret; |
6403 } | 6422 } |
OLD | NEW |