From 78c6079deb5461df8f6994f2e244fa6671fae166 Mon Sep 17 00:00:00 2001
From: Young <YangX92@hotmail.com>
Date: Wed, 15 Aug 2018 11:01:23 +0800
Subject: [PATCH] Introduce a new allocation type for the buffers

---
 tree.c |   44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/tree.c b/tree.c
index 959421b..a6f8c8b 100644
--- a/tree.c
+++ b/tree.c
@@ -7151,8 +7151,9 @@ xmlBufferSetAllocationScheme(xmlBufferPtr buf,
     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
         (scheme == XML_BUFFER_ALLOC_EXACT) ||
         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE))
-	buf->alloc = scheme;
+        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
+        (scheme == XML_BUFFER_ALLOC_BOUNDED)) 
+     	    buf->alloc = scheme;
 }
 
 /**
@@ -7286,6 +7287,18 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
     size = buf->use + len + 100;
 #endif
 
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+        /*
+         * Used to provide parsing limits
+         */
+        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+        (buf->size >= XML_MAX_TEXT_LENGTH)) {
+        xmlBufMemoryError(buf, "buffer error: text too long\n");
+        return(0);
+    }
+    if (size >= XML_MAX_TEXT_LENGTH)
+        size = XML_MAX_TEXT_LENGTH;
+    }
     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
         size_t start_buf = buf->content - buf->contentIO;
 
@@ -7396,6 +7409,15 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
         return(0);
 
     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+        /*
+         * Used to provide parsing limits
+         */
+        if (needSize >= XML_MAX_TEXT_LENGTH) {
+            xmlBufMemoryError(buf, "buffer error: text too long\n");
+            return(0);
+        }
+    }
 
     /* Don't resize if we don't have to */
     if (size < buf->size)
@@ -7522,6 +7544,15 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
 
     needSize = buf->use + len + 2;
     if (needSize > buf->size){
+        if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+            /*
+             * Used to provide parsing limits
+             */
+            if (needSize >= XML_MAX_TEXT_LENGTH) {
+                xmlBufMemoryError(buf, "buffer error: text too long\n");
+                return(-1);
+            }
+        }
         if (!xmlBufferResize(buf, needSize)){
 	    xmlTreeErrMemory("growing buffer");
             return XML_ERR_NO_MEMORY;
@@ -7590,6 +7621,15 @@ xmlBufferAddHead(xmlBufferPtr buf, const xmlChar *str, int len) {
     }
     needSize = buf->use + len + 2;
     if (needSize > buf->size){
+        if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+            /*
+             * Used to provide parsing limits
+             */
+            if (needSize >= XML_MAX_TEXT_LENGTH) {
+                xmlBufMemoryError(buf, "buffer error: text too long\n");
+                return(-1);
+            }
+        }
         if (!xmlBufferResize(buf, needSize)){
 	    xmlTreeErrMemory("growing buffer");
             return XML_ERR_NO_MEMORY;
-- 
1.7.9.5