| Index: third_party/libxml/src/xmlstring.c
|
| diff --git a/third_party/libxml/src/xmlstring.c b/third_party/libxml/src/xmlstring.c
|
| index b6dd10121845c39d114ada3af3b61ea8f5a6b134..9e704a9f346ba05aae7e4be6d304453d8a7d3967 100644
|
| --- a/third_party/libxml/src/xmlstring.c
|
| +++ b/third_party/libxml/src/xmlstring.c
|
| @@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
|
| return(xmlStrndup(add, len));
|
|
|
| size = xmlStrlen(cur);
|
| + if (size < 0)
|
| + return(NULL);
|
| ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
|
| if (ret == NULL) {
|
| xmlErrMemory(NULL, NULL);
|
| @@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
|
| int size;
|
| xmlChar *ret;
|
|
|
| - if (len < 0)
|
| + if (len < 0) {
|
| len = xmlStrlen(str2);
|
| + if (len < 0)
|
| + return(NULL);
|
| + }
|
| if ((str2 == NULL) || (len == 0))
|
| return(xmlStrdup(str1));
|
| if (str1 == NULL)
|
| return(xmlStrndup(str2, len));
|
|
|
| size = xmlStrlen(str1);
|
| + if (size < 0)
|
| + return(NULL);
|
| ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
|
| if (ret == NULL) {
|
| xmlErrMemory(NULL, NULL);
|
| @@ -538,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *add) {
|
| * Returns the number of characters written to @buf or -1 if an error occurs.
|
| */
|
| int XMLCDECL
|
| -xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) {
|
| +xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) {
|
| va_list args;
|
| int ret;
|
|
|
| @@ -566,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) {
|
| * Returns the number of characters written to @buf or -1 if an error occurs.
|
| */
|
| int
|
| -xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) {
|
| +xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) {
|
| int ret;
|
|
|
| if((buf == NULL) || (msg == NULL)) {
|
| @@ -984,5 +991,60 @@ xmlUTF8Strsub(const xmlChar *utf, int start, int len) {
|
| return(xmlUTF8Strndup(utf, len));
|
| }
|
|
|
| +/**
|
| + * xmlEscapeFormatString:
|
| + * @msg: a pointer to the string in which to escape '%' characters.
|
| + * Must be a heap-allocated buffer created by libxml2 that may be
|
| + * returned, or that may be freed and replaced.
|
| + *
|
| + * Replaces the string pointed to by 'msg' with an escaped string.
|
| + * Returns the same string with all '%' characters escaped.
|
| + */
|
| +xmlChar *
|
| +xmlEscapeFormatString(xmlChar **msg)
|
| +{
|
| + xmlChar *msgPtr = NULL;
|
| + xmlChar *result = NULL;
|
| + xmlChar *resultPtr = NULL;
|
| + size_t count = 0;
|
| + size_t msgLen = 0;
|
| + size_t resultLen = 0;
|
| +
|
| + if (!msg || !*msg)
|
| + return(NULL);
|
| +
|
| + for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
|
| + ++msgLen;
|
| + if (*msgPtr == '%')
|
| + ++count;
|
| + }
|
| +
|
| + if (count == 0)
|
| + return(*msg);
|
| +
|
| + resultLen = msgLen + count + 1;
|
| + result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
|
| + if (result == NULL) {
|
| + /* Clear *msg to prevent format string vulnerabilities in
|
| + out-of-memory situations. */
|
| + xmlFree(*msg);
|
| + *msg = NULL;
|
| + xmlErrMemory(NULL, NULL);
|
| + return(NULL);
|
| + }
|
| +
|
| + for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
|
| + *resultPtr = *msgPtr;
|
| + if (*msgPtr == '%')
|
| + *(++resultPtr) = '%';
|
| + }
|
| + result[resultLen - 1] = '\0';
|
| +
|
| + xmlFree(*msg);
|
| + *msg = result;
|
| +
|
| + return *msg;
|
| +}
|
| +
|
| #define bottom_xmlstring
|
| #include "elfgcchack.h"
|
|
|
Chromium Code Reviews
Issue 2010803004:
Roll libxml to bdec2183f34b37ee89ae1d330c6ad2bb4d76605f (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master