[libxml2] Fix unsigned integer overflow
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix unsigned integer overflow
- Date: Mon, 20 May 2019 11:44:14 +0000 (UTC)
commit f9fce963132b2a56a0f91bc19223a5c60f9786cb
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Thu May 16 21:16:01 2019 +0200
Fix unsigned integer overflow
It's defined behavior but -fsanitize=unsigned-integer-overflow is
useful to discover bugs.
parser.c | 34 ++++++++++++++++++++--------------
result/errors/charref1.xml.err | 2 +-
result/errors/charref1.xml.str | 2 +-
timsort.h | 3 ++-
uri.c | 6 ++++--
5 files changed, 28 insertions(+), 19 deletions(-)
---
diff --git a/parser.c b/parser.c
index 2cab92c6..459502b5 100644
--- a/parser.c
+++ b/parser.c
@@ -2281,9 +2281,8 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
*/
int
xmlParseCharRef(xmlParserCtxtPtr ctxt) {
- unsigned int val = 0;
+ int val = 0;
int count = 0;
- unsigned int outofrange = 0;
/*
* Using RAW/CUR/NEXT is okay since we are working on ASCII range here
@@ -2310,8 +2309,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
val = 0;
break;
}
- if (val > 0x10FFFF)
- outofrange = val;
+ if (val > 0x110000)
+ val = 0x110000;
NEXT;
count++;
@@ -2339,8 +2338,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
val = 0;
break;
}
- if (val > 0x10FFFF)
- outofrange = val;
+ if (val > 0x110000)
+ val = 0x110000;
NEXT;
count++;
@@ -2360,7 +2359,11 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
* Characters referred to using character references must match the
* production for Char.
*/
- if ((IS_CHAR(val) && (outofrange == 0))) {
+ if (val >= 0x110000) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
+ "xmlParseCharRef: character reference out of bounds\n",
+ val);
+ } else if (IS_CHAR(val)) {
return(val);
} else {
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
@@ -2392,8 +2395,7 @@ static int
xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
const xmlChar *ptr;
xmlChar cur;
- unsigned int val = 0;
- unsigned int outofrange = 0;
+ int val = 0;
if ((str == NULL) || (*str == NULL)) return(0);
ptr = *str;
@@ -2413,8 +2415,8 @@ xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
val = 0;
break;
}
- if (val > 0x10FFFF)
- outofrange = val;
+ if (val > 0x110000)
+ val = 0x110000;
ptr++;
cur = *ptr;
@@ -2432,8 +2434,8 @@ xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
val = 0;
break;
}
- if (val > 0x10FFFF)
- outofrange = val;
+ if (val > 0x110000)
+ val = 0x110000;
ptr++;
cur = *ptr;
@@ -2451,7 +2453,11 @@ xmlParseStringCharRef(xmlParserCtxtPtr ctxt, const xmlChar **str) {
* Characters referred to using character references must match the
* production for Char.
*/
- if ((IS_CHAR(val) && (outofrange == 0))) {
+ if (val >= 0x110000) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
+ "xmlParseStringCharRef: character reference out of bounds\n",
+ val);
+ } else if (IS_CHAR(val)) {
return(val);
} else {
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
diff --git a/result/errors/charref1.xml.err b/result/errors/charref1.xml.err
index aa43bcf4..dbf30054 100644
--- a/result/errors/charref1.xml.err
+++ b/result/errors/charref1.xml.err
@@ -1,3 +1,3 @@
-./test/errors/charref1.xml:1: parser error : xmlParseCharRef: invalid xmlChar value 60
+./test/errors/charref1.xml:1: parser error : xmlParseCharRef: character reference out of bounds
<bla>�</bla>
^
diff --git a/result/errors/charref1.xml.str b/result/errors/charref1.xml.str
index 467b4f6a..692f614e 100644
--- a/result/errors/charref1.xml.str
+++ b/result/errors/charref1.xml.str
@@ -1,4 +1,4 @@
-./test/errors/charref1.xml:1: parser error : xmlParseCharRef: invalid xmlChar value 60
+./test/errors/charref1.xml:1: parser error : xmlParseCharRef: character reference out of bounds
<bla>�</bla>
^
./test/errors/charref1.xml : failed to parse
diff --git a/timsort.h b/timsort.h
index e841bd9c..622705b3 100644
--- a/timsort.h
+++ b/timsort.h
@@ -404,7 +404,8 @@ static void TIM_SORT_MERGE(SORT_TYPE *dst, const TIM_SORT_RUN_T *stack, const in
j = curr + A;
k = curr + A + B;
- while (k-- > curr) {
+ while (k > curr) {
+ k--;
if ((i > 0) && (j > curr)) {
if (SORT_CMP(dst[j - 1], storage[i - 1]) > 0) {
dst[k] = dst[--j];
diff --git a/uri.c b/uri.c
index 2cf8d9f1..9772aafa 100644
--- a/uri.c
+++ b/uri.c
@@ -325,16 +325,18 @@ static int
xmlParse3986Port(xmlURIPtr uri, const char **str)
{
const char *cur = *str;
- unsigned port = 0; /* unsigned for defined overflow behavior */
+ int port = 0;
if (ISA_DIGIT(cur)) {
while (ISA_DIGIT(cur)) {
port = port * 10 + (*cur - '0');
+ if (port > 99999999)
+ port = 99999999;
cur++;
}
if (uri != NULL)
- uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
+ uri->port = port;
*str = cur;
return(0);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]