Commit c97750d1 authored by Daniel Veillard's avatar Daniel Veillard

Avoid an out of bound access when serializing malformed strings

For https://bugzilla.gnome.org/show_bug.cgi?id=766414

* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value
  is not UTF-8 be more careful when serializing it as we may do an
  out of bound access as a result.
parent 886529b5
......@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
xmlBufAdd(buf, BAD_CAST "&", 5);
cur++;
base = cur;
} else if ((*cur >= 0x80) && ((doc == NULL) ||
(doc->encoding == NULL))) {
} else if ((*cur >= 0x80) && (cur[1] != 0) &&
((doc == NULL) || (doc->encoding == NULL))) {
/*
* We assume we have UTF-8 content.
*/
......@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
val <<= 6;
val |= (cur[1]) & 0x3F;
l = 2;
} else if (*cur < 0xF0) {
} else if ((*cur < 0xF0) && (cur [2] != 0)) {
val = (cur[0]) & 0x0F;
val <<= 6;
val |= (cur[1]) & 0x3F;
val <<= 6;
val |= (cur[2]) & 0x3F;
l = 3;
} else if (*cur < 0xF8) {
} else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) {
val = (cur[0]) & 0x07;
val <<= 6;
val |= (cur[1]) & 0x3F;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment