| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * transform.c: Implementation of the XSL Transformation 1.0 engine | 2 * transform.c: Implementation of the XSL Transformation 1.0 engine |
| 3 * transform part, i.e. applying a Stylesheet to a document | 3 * transform part, i.e. applying a Stylesheet to a document |
| 4 * | 4 * |
| 5 * References: | 5 * References: |
| 6 * http://www.w3.org/TR/1999/REC-xslt-19991116 | 6 * http://www.w3.org/TR/1999/REC-xslt-19991116 |
| 7 * | 7 * |
| 8 * Michael Kay "XSLT Programmer's Reference" pp 637-643 | 8 * Michael Kay "XSLT Programmer's Reference" pp 637-643 |
| 9 * Writing Multiple Output Files | 9 * Writing Multiple Output Files |
| 10 * | 10 * |
| (...skipping 795 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 806 static xmlNodePtr | 806 static xmlNodePtr |
| 807 xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, | 807 xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, |
| 808 const xmlChar *string, int len) { | 808 const xmlChar *string, int len) { |
| 809 /* | 809 /* |
| 810 * optimization | 810 * optimization |
| 811 */ | 811 */ |
| 812 if ((len <= 0) || (string == NULL) || (target == NULL)) | 812 if ((len <= 0) || (string == NULL) || (target == NULL)) |
| 813 return(target); | 813 return(target); |
| 814 | 814 |
| 815 if (ctxt->lasttext == target->content) { | 815 if (ctxt->lasttext == target->content) { |
| 816 int minSize; |
| 816 | 817 |
| 817 » if (ctxt->lasttuse + len >= ctxt->lasttsize) { | 818 /* Check for integer overflow accounting for NUL terminator. */ |
| 819 if (len >= INT_MAX - ctxt->lasttuse) { |
| 820 xsltTransformError(ctxt, NULL, target, |
| 821 "xsltCopyText: text allocation failed\n"); |
| 822 return(NULL); |
| 823 } |
| 824 minSize = ctxt->lasttuse + len + 1; |
| 825 |
| 826 if (ctxt->lasttsize < minSize) { |
| 818 xmlChar *newbuf; | 827 xmlChar *newbuf; |
| 819 int size; | 828 int size; |
| 829 int extra; |
| 820 | 830 |
| 821 » size = ctxt->lasttsize + len + 100; | 831 /* Double buffer size but increase by at least 100 bytes. */ |
| 822 » size *= 2; | 832 extra = minSize < 100 ? 100 : minSize; |
| 833 |
| 834 /* Check for integer overflow. */ |
| 835 if (extra > INT_MAX - ctxt->lasttsize) { |
| 836 size = INT_MAX; |
| 837 } |
| 838 else { |
| 839 size = ctxt->lasttsize + extra; |
| 840 } |
| 841 |
| 823 newbuf = (xmlChar *) xmlRealloc(target->content,size); | 842 newbuf = (xmlChar *) xmlRealloc(target->content,size); |
| 824 if (newbuf == NULL) { | 843 if (newbuf == NULL) { |
| 825 xsltTransformError(ctxt, NULL, target, | 844 xsltTransformError(ctxt, NULL, target, |
| 826 "xsltCopyText: text allocation failed\n"); | 845 "xsltCopyText: text allocation failed\n"); |
| 827 return(NULL); | 846 return(NULL); |
| 828 } | 847 } |
| 829 ctxt->lasttsize = size; | 848 ctxt->lasttsize = size; |
| 830 ctxt->lasttext = newbuf; | 849 ctxt->lasttext = newbuf; |
| 831 target->content = newbuf; | 850 target->content = newbuf; |
| 832 } | 851 } |
| (...skipping 5578 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6411 XSLT_NAMESPACE, | 6430 XSLT_NAMESPACE, |
| 6412 (xsltTransformFunction) xsltDebug); | 6431 (xsltTransformFunction) xsltDebug); |
| 6413 xsltRegisterExtElement(ctxt, (const xmlChar *) "otherwise", | 6432 xsltRegisterExtElement(ctxt, (const xmlChar *) "otherwise", |
| 6414 XSLT_NAMESPACE, | 6433 XSLT_NAMESPACE, |
| 6415 (xsltTransformFunction) xsltDebug); | 6434 (xsltTransformFunction) xsltDebug); |
| 6416 xsltRegisterExtElement(ctxt, (const xmlChar *) "fallback", | 6435 xsltRegisterExtElement(ctxt, (const xmlChar *) "fallback", |
| 6417 XSLT_NAMESPACE, | 6436 XSLT_NAMESPACE, |
| 6418 (xsltTransformFunction) xsltDebug); | 6437 (xsltTransformFunction) xsltDebug); |
| 6419 | 6438 |
| 6420 } | 6439 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2676223002:
xsltAddTextString: Check for overflow when merging text nodes. (Closed)
