Index: third_party/libxml/src/xmlstring.c |
diff --git a/third_party/libxml/src/xmlstring.c b/third_party/libxml/src/xmlstring.c |
index b6dd10121845c39d114ada3af3b61ea8f5a6b134..9e704a9f346ba05aae7e4be6d304453d8a7d3967 100644 |
--- a/third_party/libxml/src/xmlstring.c |
+++ b/third_party/libxml/src/xmlstring.c |
@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { |
return(xmlStrndup(add, len)); |
size = xmlStrlen(cur); |
+ if (size < 0) |
+ return(NULL); |
ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); |
if (ret == NULL) { |
xmlErrMemory(NULL, NULL); |
@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { |
int size; |
xmlChar *ret; |
- if (len < 0) |
+ if (len < 0) { |
len = xmlStrlen(str2); |
+ if (len < 0) |
+ return(NULL); |
+ } |
if ((str2 == NULL) || (len == 0)) |
return(xmlStrdup(str1)); |
if (str1 == NULL) |
return(xmlStrndup(str2, len)); |
size = xmlStrlen(str1); |
+ if (size < 0) |
+ return(NULL); |
ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); |
if (ret == NULL) { |
xmlErrMemory(NULL, NULL); |
@@ -538,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *add) { |
* Returns the number of characters written to @buf or -1 if an error occurs. |
*/ |
int XMLCDECL |
-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { |
+xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) { |
va_list args; |
int ret; |
@@ -566,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { |
* Returns the number of characters written to @buf or -1 if an error occurs. |
*/ |
int |
-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) { |
+xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) { |
int ret; |
if((buf == NULL) || (msg == NULL)) { |
@@ -984,5 +991,60 @@ xmlUTF8Strsub(const xmlChar *utf, int start, int len) { |
return(xmlUTF8Strndup(utf, len)); |
} |
+/** |
+ * xmlEscapeFormatString: |
+ * @msg: a pointer to the string in which to escape '%' characters. |
+ * Must be a heap-allocated buffer created by libxml2 that may be |
+ * returned, or that may be freed and replaced. |
+ * |
+ * Replaces the string pointed to by 'msg' with an escaped string. |
+ * Returns the same string with all '%' characters escaped. |
+ */ |
+xmlChar * |
+xmlEscapeFormatString(xmlChar **msg) |
+{ |
+ xmlChar *msgPtr = NULL; |
+ xmlChar *result = NULL; |
+ xmlChar *resultPtr = NULL; |
+ size_t count = 0; |
+ size_t msgLen = 0; |
+ size_t resultLen = 0; |
+ |
+ if (!msg || !*msg) |
+ return(NULL); |
+ |
+ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { |
+ ++msgLen; |
+ if (*msgPtr == '%') |
+ ++count; |
+ } |
+ |
+ if (count == 0) |
+ return(*msg); |
+ |
+ resultLen = msgLen + count + 1; |
+ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); |
+ if (result == NULL) { |
+ /* Clear *msg to prevent format string vulnerabilities in |
+ out-of-memory situations. */ |
+ xmlFree(*msg); |
+ *msg = NULL; |
+ xmlErrMemory(NULL, NULL); |
+ return(NULL); |
+ } |
+ |
+ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { |
+ *resultPtr = *msgPtr; |
+ if (*msgPtr == '%') |
+ *(++resultPtr) = '%'; |
+ } |
+ result[resultLen - 1] = '\0'; |
+ |
+ xmlFree(*msg); |
+ *msg = result; |
+ |
+ return *msg; |
+} |
+ |
#define bottom_xmlstring |
#include "elfgcchack.h" |