Commit f9fce963 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Fix unsigned integer overflow

It's defined behavior but -fsanitize=unsigned-integer-overflow is
useful to discover bugs.
parent dbc6b55b
......@@ -2281,9 +2281,8 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
*/
int
xmlParseCharRef(xmlParserCtxtPtr ctxt) {
unsigned int val = 0;
int val = 0;
int count = 0;
unsigned int outofrange = 0;
/*
* Using RAW/CUR/NEXT is okay since we are working on ASCII range here
......@@ -2310,8 +2309,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
val = 0;
break;
}
if (val > 0x10FFFF)
outofrange = val;
if (val > 0x110000)
val = 0x110000;
NEXT;
count++;
......@@ -2339,8 +2338,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
val = 0;
break;
}
if (val > 0x10FFFF)
outofrange = val;
if (val > 0x110000)
val = 0x110000;
NEXT;
count++;
......@@ -2360,7 +2359,11 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
* Characters referred to using character references must match the
* production for Char.
*/
if ((IS_CHAR(val) && (outofrange == 0))) {
if (val >= 0x110000) {
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
"xmlParseCharRef: character reference out of bounds\n",
val);
} else if (IS_CHAR(val)) {
return(val);
} else {
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
......@@ -2392,8 +2395,7 @@ static int
xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
const xmlChar *ptr;
xmlChar cur;
unsigned int val = 0;
unsigned int outofrange = 0;
int val = 0;
if ((str == NULL) || (*str == NULL)) return(0);
ptr = *str;
......@@ -2413,8 +2415,8 @@ xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
val = 0;
break;
}
if (val > 0x10FFFF)
outofrange = val;
if (val > 0x110000)
val = 0x110000;
ptr++;
cur = *ptr;
......@@ -2432,8 +2434,8 @@ xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
val = 0;
break;
}
if (val > 0x10FFFF)
outofrange = val;
if (val > 0x110000)
val = 0x110000;
ptr++;
cur = *ptr;
......@@ -2451,7 +2453,11 @@ xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
* Characters referred to using character references must match the
* production for Char.
*/
if ((IS_CHAR(val) && (outofrange == 0))) {
if (val >= 0x110000) {
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
"xmlParseStringCharRef: character reference out of bounds\n",
val);
} else if (IS_CHAR(val)) {
return(val);
} else {
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
......
./test/errors/charref1.xml:1: parser error : xmlParseCharRef: invalid xmlChar value 60
./test/errors/charref1.xml:1: parser error : xmlParseCharRef: character reference out of bounds
<bla>&#010100000000000000000000000000000000000000000000000060;</bla>
^
./test/errors/charref1.xml:1: parser error : xmlParseCharRef: invalid xmlChar value 60
./test/errors/charref1.xml:1: parser error : xmlParseCharRef: character reference out of bounds
<bla>&#010100000000000000000000000000000000000000000000000060;</bla>
^
./test/errors/charref1.xml : failed to parse
......@@ -404,7 +404,8 @@ static void TIM_SORT_MERGE(SORT_TYPE *dst, const TIM_SORT_RUN_T *stack, const in
j = curr + A;
k = curr + A + B;
while (k-- > curr) {
while (k > curr) {
k--;
if ((i > 0) && (j > curr)) {
if (SORT_CMP(dst[j - 1], storage[i - 1]) > 0) {
dst[k] = dst[--j];
......
......@@ -325,16 +325,18 @@ static int
xmlParse3986Port(xmlURIPtr uri, const char **str)
{
const char *cur = *str;
unsigned port = 0; /* unsigned for defined overflow behavior */
int port = 0;
if (ISA_DIGIT(cur)) {
while (ISA_DIGIT(cur)) {
port = port * 10 + (*cur - '0');
if (port > 99999999)
port = 99999999;
cur++;
}
if (uri != NULL)
uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
uri->port = port;
*str = cur;
return(0);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment