57 lines
1.6 KiB
Diff
57 lines
1.6 KiB
Diff
From 40e00bc5174ab61036c893078123467144b05a4a Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Mon, 14 Oct 2019 16:56:59 +0200
|
|
Subject: [PATCH] Fix integer overflow when counting written bytes
|
|
|
|
Check for integer overflow when updating the `written` member of
|
|
struct xmlOutputBuffer in xmlIO.c.
|
|
|
|
Closes #112. Resolves !54 and !55.
|
|
---
|
|
xmlIO.c | 15 ++++++++++++---
|
|
1 file changed, 12 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/xmlIO.c b/xmlIO.c
|
|
index 2a1e2cb08..752d5e0a0 100644
|
|
--- a/xmlIO.c
|
|
+++ b/xmlIO.c
|
|
@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
|
|
out->error = XML_IO_WRITE;
|
|
return(ret);
|
|
}
|
|
- out->written += ret;
|
|
+ if (out->written > INT_MAX - ret)
|
|
+ out->written = INT_MAX;
|
|
+ else
|
|
+ out->written += ret;
|
|
}
|
|
written += nbchars;
|
|
} while (len > 0);
|
|
@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
|
|
out->error = XML_IO_WRITE;
|
|
return(ret);
|
|
}
|
|
- out->written += ret;
|
|
+ if (out->written > INT_MAX - ret)
|
|
+ out->written = INT_MAX;
|
|
+ else
|
|
+ out->written += ret;
|
|
} else if (xmlBufAvail(out->buffer) < MINLEN) {
|
|
xmlBufGrow(out->buffer, MINLEN);
|
|
}
|
|
@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
|
|
out->error = XML_IO_FLUSH;
|
|
return(ret);
|
|
}
|
|
- out->written += ret;
|
|
+ if (out->written > INT_MAX - ret)
|
|
+ out->written = INT_MAX;
|
|
+ else
|
|
+ out->written += ret;
|
|
|
|
#ifdef DEBUG_INPUT
|
|
xmlGenericError(xmlGenericErrorContext,
|
|
--
|
|
GitLab
|
|
|