Skip to content

Fix more overflow checks, off-by-ones and missing NUL terminators in xmlBuf and xmlBuffer

David Kilzer requested to merge fix-more-xmlBuf-and-xmlBuffer-issues into master

In broad strokes, this does the following:

  • Do not include the NUL terminator byte for lengths returned from functions. This lets functions be more defensive.
  • Set error messages when returning early due to out-of-memory or buffer-too-large errors.
  • Set NUL terminator consistently on buffer boundaries before returning.
  • Add a few more integer overflow checks.
  • buf.c: (xmlBufGrowInternal):
  • Do not include NUL terminator byte when returning length.
  • Always set NUL terminator at the end of the new buffer length before returning.
  • Call xmlBufMemoryError() when the buffer size would overflow.
  • Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH.
  • Always set NUL terminator at the end of the current buffer after resizing the buffer. (xmlBufAddLen):
  • Return an error if the buffer does not have free space for the NUL terminator byte. (xmlBufAvail):
  • Do not include the NUL terminator byte in the length returned. (See changes to encoding.c and xmlIO.c.) (xmlBufResize):
  • Move setting of NUL terminator to common code. More than one path through the function failed to set it. (xmlBufAdd):
  • Call xmlBufMemoryError() when the buffer size would overflow. (xmlBufAddHead):
  • Set NUL terminator before returning early when shifting contents.
  • Add overflow checks similar to those in xmlBufAdd().
  • encoding.c: (xmlCharEncFirstLineInput): (xmlCharEncInput): (xmlCharEncOutput):
  • No longer need to subtract one from the return value of xmlBufAvail() since the function does this now.
  • testchar.c: (testCharRanges):
  • Pass the string length without the NUL terminator.
  • tree.c: (xmlBufferGrow):
  • Do not include NUL terminator byte when returning length.
  • Always set NUL terminator at the end of the new buffer length before returning.
  • Call xmlTreeErrMemory() when the buffer size would overflow.
  • Always set NUL terminator at the end of the current buffer after resizing the buffer. (xmlBufferDump):
  • Change type of the return variable to match fwrite().
  • Clamp return value to INT_MAX to prevent overflow. (xmlBufferResize):
  • Update error message in xmlTreeErrMemory() to be consistent with other similar messages.
  • Fix double semi-colon typos from commit 6c283d83.
  • Move setting of NUL terminator to common code. More than one path through the function failed to set it. (xmlBufferAdd):
  • Call xmlTreeErrMemory() when the buffer size would overflow. (xmlBufferAddHead):
  • Set NUL terminator before returning early when shifting contents.
  • Add overflow checks similar to those in xmlBufferAdd().
  • xmlIO.c: (xmlOutputBufferWriteEscape):
  • No longer need to subtract one from the return value of xmlBufAvail() since the function does this now.

Merge request reports