From 9bb32f5a7db09951187a608d7ba1b71b41127da0 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 2 Jan 2024 17:52:43 +0100
Subject: [PATCH] parser: Fix buffer size checks

Don't test size of remaining data. This causes false positives with
memory buffers.

Also impose XML_MAX_HUGE_LENGTH limit when parsing with XML_PARSE_HUGE.
---
 parser.c          | 15 ++++++++++-----
 parserInternals.c | 14 ++++++++------
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/parser.c b/parser.c
index 845e0fd3..77106c1d 100644
--- a/parser.c
+++ b/parser.c
@@ -12198,6 +12198,8 @@ encoding_error:
 int
 xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
               int terminate) {
+    size_t curBase;
+    size_t maxLength;
     int end_in_lf = 0;
 
     if (ctxt == NULL)
@@ -12236,13 +12238,16 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
     if (ctxt->instate == XML_PARSER_EOF)
         return(ctxt->errNo);
 
-    if ((ctxt->input != NULL) &&
-         (((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) ||
-         ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
-        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+    curBase = ctxt->input->cur - ctxt->input->base;
+    maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                XML_MAX_HUGE_LENGTH :
+                XML_MAX_LOOKUP_LIMIT;
+    if (curBase > maxLength) {
+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+                    "Buffer size limit exceeded, try XML_PARSE_HUGE\n");
         xmlHaltParser(ctxt);
     }
+
     if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
         return(ctxt->errNo);
 
diff --git a/parserInternals.c b/parserInternals.c
index 166397bd..9484ebdd 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -511,8 +511,11 @@ int
 xmlParserGrow(xmlParserCtxtPtr ctxt) {
     xmlParserInputPtr in = ctxt->input;
     xmlParserInputBufferPtr buf = in->buf;
-    ptrdiff_t curEnd = in->end - in->cur;
-    ptrdiff_t curBase = in->cur - in->base;
+    size_t curEnd = in->end - in->cur;
+    size_t curBase = in->cur - in->base;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_LOOKUP_LIMIT;
     int ret;
 
     if (buf == NULL)
@@ -526,10 +529,9 @@ xmlParserGrow(xmlParserCtxtPtr ctxt) {
     if (buf->error != 0)
         return(-1);
 
-    if (((curEnd > XML_MAX_LOOKUP_LIMIT) ||
-         (curBase > XML_MAX_LOOKUP_LIMIT)) &&
-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
-        xmlErrMemory(ctxt, "Huge input lookup");
+    if (curBase > maxLength) {
+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+                    "Buffer size limit exceeded, try XML_PARSE_HUGE\n");
         xmlHaltParser(ctxt);
 	return(-1);
     }
-- 
2.54.0