diff options
author | David Kilzer <ddkilzer@apple.com> | 2022-05-13 14:43:33 -0700 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2022-06-16 12:01:27 +0000 |
commit | 6ef16dee7ac8af32b8a0dd793445b1148e240364 (patch) | |
tree | 60ee3bf8db25933b31e889ba294e1226bf96eda6 /buf.c | |
parent | 4ce2abf6f656b3e78ad40e33191a8b42561c10b0 (diff) | |
download | libxml2-6ef16dee7ac8af32b8a0dd793445b1148e240364.tar.gz |
Reserve byte for NUL terminator and report errors consistently in xmlBuf and xmlBuffer
This is a follow-up to commit 6c283d83.
* buf.c:
(xmlBufGrowInternal):
- Call xmlBufMemoryError() when the buffer size would overflow.
- Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH.
- Do not include NUL terminator byte when returning length.
(xmlBufAdd):
- Call xmlBufMemoryError() when the buffer size would overflow.
* tree.c:
(xmlBufferGrow):
- Call xmlTreeErrMemory() when the buffer size would overflow.
- Do not include NUL terminator byte when returning length.
(xmlBufferResize):
- Update error message in xmlTreeErrMemory() to be consistent
with other similar messages.
(xmlBufferAdd):
- Call xmlTreeErrMemory() when the buffer size would overflow.
(xmlBufferAddHead):
- Add overflow checks similar to those in xmlBufferAdd().
Diffstat (limited to 'buf.c')
-rw-r--r-- | buf.c | 15 |
1 files changed, 10 insertions, 5 deletions
@@ -436,9 +436,11 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); if (len < buf->size - buf->use) - return(buf->size - buf->use); - if (len > SIZE_MAX - buf->use) + return(buf->size - buf->use - 1); + if (len >= SIZE_MAX - buf->use) { + xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); return(0); + } if (buf->size > (size_t) len) { size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; @@ -451,7 +453,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { /* * Used to provide parsing limits */ - if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || + if ((buf->use + len + 1 >= XML_MAX_TEXT_LENGTH) || (buf->size >= XML_MAX_TEXT_LENGTH)) { xmlBufMemoryError(buf, "buffer error: text too long\n"); return(0); @@ -479,7 +481,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { } buf->size = size; UPDATE_COMPAT(buf) - return(buf->size - buf->use); + return(buf->size - buf->use - 1); } /** @@ -839,9 +841,12 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { if (len < 0) return -1; if (len == 0) return 0; + /* Note that both buf->size and buf->use can be zero here. */ if ((size_t) len >= buf->size - buf->use) { - if ((size_t) len >= SIZE_MAX - buf->use) + if ((size_t) len >= SIZE_MAX - buf->use) { + xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); return(-1); + } needSize = buf->use + len + 1; if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { /* |