summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Wellnhofer <wellnhofer@aevum.de>2016-04-10 13:12:28 +0200
committerNick Wellnhofer <wellnhofer@aevum.de>2016-04-10 13:21:48 +0200
commit91d0540ac9beaa86719a05b749219a69baa0dd8d (patch)
tree683409f650e4426da6a7a0c58ef262f7107a7f7e
parent405034286fbdd6166229335b7203a41bf53b40fc (diff)
downloadlibxslt-91d0540ac9beaa86719a05b749219a69baa0dd8d.tar.gz
Lower and upper bound for format token "i"
Handle xsl:number with format "i" and value 0 according to XSLT 2.0. Also introduce an upper bound to fix a denial of service.
Diffstat
-rw-r--r--libxslt/numbers.c25
1 files changed, 16 insertions, 9 deletions
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index af528834..e769c42b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
}
static void
-xsltNumberFormatRoman(xmlBufferPtr buffer,
+xsltNumberFormatRoman(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
/*
+ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
+ * bound to avoid denial of service.
+ */
+ if (number < 1.0 || number > 5000.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
+ /*
* Based on an example by Jim Walsh
*/
while (number >= 1000.0) {
@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
- xsltNumberFormatRoman(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatRoman(data, buffer, number, TRUE);
break;
case 'i':
- xsltNumberFormatRoman(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatRoman(data, buffer, number, FALSE);
break;
default:
if (IS_DIGIT_ZERO(token->token)) {
View Lorry Controller Status