third_party/libxslt/libxslt/transform.c - Issue 2626983002: Check for overflow when merging text nodes.

Side by Side Diff: third_party/libxslt/libxslt/transform.c

Issue 2626983002: Check for overflow when merging text nodes. (Closed)

Patch Set: Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 /*	1 /*

2 * transform.c: Implementation of the XSL Transformation 1.0 engine	2 * transform.c: Implementation of the XSL Transformation 1.0 engine

3 * transform part, i.e. applying a Stylesheet to a document	3 * transform part, i.e. applying a Stylesheet to a document

4 *	4 *

5 * References:	5 * References:

6 * http://www.w3.org/TR/1999/REC-xslt-19991116	6 * http://www.w3.org/TR/1999/REC-xslt-19991116

7 *	7 *

8 * Michael Kay "XSLT Programmer's Reference" pp 637-643	8 * Michael Kay "XSLT Programmer's Reference" pp 637-643

9 * Writing Multiple Output Files	9 * Writing Multiple Output Files

10 *	10 *

(...skipping 802 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
813 /*	813 /*

814 * optimization	814 * optimization

815 */	815 */

816 if ((len <= 0) \|\| (string == NULL) \|\| (target == NULL))	816 if ((len <= 0) \|\| (string == NULL) \|\| (target == NULL))

817 return(target);	817 return(target);

818	818

819 if (ctxt->lasttext == target->content) {	819 if (ctxt->lasttext == target->content) {

820	820

821 if (ctxt->lasttuse + len >= ctxt->lasttsize) {	821 if (ctxt->lasttuse + len >= ctxt->lasttsize) {

822 xmlChar *newbuf;	822 xmlChar *newbuf;

823 » int size;	823 » size_t size;

824	824

825 size = ctxt->lasttsize + len + 100;	825 size = ctxt->lasttsize + len + 100;

826 size *= 2;	826 size *= 2;

827 newbuf = (xmlChar *) xmlRealloc(target->content,size);	827 newbuf = (xmlChar *) xmlRealloc(target->content,size);

828 » if (newbuf == NULL) {	828 » if (newbuf == NULL \|\| size < ctxt->lasttsize) {
	scottmg 2017/01/11 17:46:07 This is intended to be an overflow check, or? (nom This is intended to be an overflow check, or? (nominally we set size to (lasttsize + len + 100) ^ 2). lasttsize is unsigned int, but then we're calculating in a size_t... so I don't understand how size could be < lasttsize. (Apologies if I'm being dumb.) scottmg 2017/01/11 18:02:23 (Er, * 2 above obviously) I guess on x86 it might Show quoted text On 2017/01/11 17:46:07, scottmg wrote: > This is intended to be an overflow check, or? (nominally we set size to > (lasttsize + len + 100) ^ 2). > > lasttsize is unsigned int, but then we're calculating in a size_t... so I don't > understand how size could be < lasttsize. > > (Apologies if I'm being dumb.) (Er, * 2 above obviously) I guess on x86 it might make some sense if all the types are 32 bit. I was thinking x64, so size_t of 8b vs ctxt->lasttsize and len of 4b.
829 xsltTransformError(ctxt, NULL, target,	829 xsltTransformError(ctxt, NULL, target,

830 "xsltCopyText: text allocation failed\n");	830 "xsltCopyText: text allocation failed\n");

831 return(NULL);	831 return(NULL);

832 }	832 }

833 ctxt->lasttsize = size;	833 ctxt->lasttsize = size;

834 ctxt->lasttext = newbuf;	834 ctxt->lasttext = newbuf;

835 target->content = newbuf;	835 target->content = newbuf;

836 }	836 }

	837 if (ctxt->lasttuse >= ctxt->lasttsize - len) {
	scottmg 2017/01/11 17:46:07 nit; This indent looks odd in Rietveld, but maybe nit; This indent looks odd in Rietveld, but maybe it's fine with the right tab settings.
	838 xsltTransformError(ctxt, NULL, target,

	839 "xsltCopyText: text allocation failed\n");

	840 return(NULL);

	841 }

837 memcpy(&(target->content[ctxt->lasttuse]), string, len);	842 memcpy(&(target->content[ctxt->lasttuse]), string, len);

838 ctxt->lasttuse += len;	843 ctxt->lasttuse += len;

839 target->content[ctxt->lasttuse] = 0;	844 target->content[ctxt->lasttuse] = 0;

840 } else {	845 } else {

841 xmlNodeAddContent(target, string);	846 xmlNodeAddContent(target, string);

842 ctxt->lasttext = target->content;	847 ctxt->lasttext = target->content;

843 len = xmlStrlen(target->content);	848 len = xmlStrlen(target->content);

844 ctxt->lasttsize = len;	849 ctxt->lasttsize = len;

845 ctxt->lasttuse = len;	850 ctxt->lasttuse = len;

846 }	851 }

(...skipping 5593 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
6440 XSLT_NAMESPACE,	6445 XSLT_NAMESPACE,

6441 (xsltTransformFunction) xsltDebug);	6446 (xsltTransformFunction) xsltDebug);

6442 xsltRegisterExtElement(ctxt, (const xmlChar *) "otherwise",	6447 xsltRegisterExtElement(ctxt, (const xmlChar *) "otherwise",

6443 XSLT_NAMESPACE,	6448 XSLT_NAMESPACE,

6444 (xsltTransformFunction) xsltDebug);	6449 (xsltTransformFunction) xsltDebug);

6445 xsltRegisterExtElement(ctxt, (const xmlChar *) "fallback",	6450 xsltRegisterExtElement(ctxt, (const xmlChar *) "fallback",

6446 XSLT_NAMESPACE,	6451 XSLT_NAMESPACE,

6447 (xsltTransformFunction) xsltDebug);	6452 (xsltTransformFunction) xsltDebug);

6448	6453

6449 }	6454 }

OLD	NEW

« no previous file with comments | « third_party/libxslt/README.chromium ('k') | no next file » | no next file with comments »