85 lines
2.9 KiB
Diff
85 lines
2.9 KiB
Diff
From 9bb32f5a7db09951187a608d7ba1b71b41127da0 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Tue, 2 Jan 2024 17:52:43 +0100
|
|
Subject: [PATCH] parser: Fix buffer size checks
|
|
|
|
Don't test size of remaining data. This causes false positives with
|
|
memory buffers.
|
|
|
|
Also impose XML_MAX_HUGE_LENGTH limit when parsing with XML_PARSE_HUGE.
|
|
---
|
|
parser.c | 15 ++++++++++-----
|
|
parserInternals.c | 14 ++++++++------
|
|
2 files changed, 18 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/parser.c b/parser.c
|
|
index 845e0fd3..77106c1d 100644
|
|
--- a/parser.c
|
|
+++ b/parser.c
|
|
@@ -12198,6 +12198,8 @@ encoding_error:
|
|
int
|
|
xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
|
|
int terminate) {
|
|
+ size_t curBase;
|
|
+ size_t maxLength;
|
|
int end_in_lf = 0;
|
|
|
|
if (ctxt == NULL)
|
|
@@ -12236,13 +12238,16 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
|
|
if (ctxt->instate == XML_PARSER_EOF)
|
|
return(ctxt->errNo);
|
|
|
|
- if ((ctxt->input != NULL) &&
|
|
- (((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) ||
|
|
- ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
|
|
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
- xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
|
|
+ curBase = ctxt->input->cur - ctxt->input->base;
|
|
+ maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
+ XML_MAX_HUGE_LENGTH :
|
|
+ XML_MAX_LOOKUP_LIMIT;
|
|
+ if (curBase > maxLength) {
|
|
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
|
|
+ "Buffer size limit exceeded, try XML_PARSE_HUGE\n");
|
|
xmlHaltParser(ctxt);
|
|
}
|
|
+
|
|
if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
|
|
return(ctxt->errNo);
|
|
|
|
diff --git a/parserInternals.c b/parserInternals.c
|
|
index 166397bd..9484ebdd 100644
|
|
--- a/parserInternals.c
|
|
+++ b/parserInternals.c
|
|
@@ -511,8 +511,11 @@ int
|
|
xmlParserGrow(xmlParserCtxtPtr ctxt) {
|
|
xmlParserInputPtr in = ctxt->input;
|
|
xmlParserInputBufferPtr buf = in->buf;
|
|
- ptrdiff_t curEnd = in->end - in->cur;
|
|
- ptrdiff_t curBase = in->cur - in->base;
|
|
+ size_t curEnd = in->end - in->cur;
|
|
+ size_t curBase = in->cur - in->base;
|
|
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
+ XML_MAX_HUGE_LENGTH :
|
|
+ XML_MAX_LOOKUP_LIMIT;
|
|
int ret;
|
|
|
|
if (buf == NULL)
|
|
@@ -526,10 +529,9 @@ xmlParserGrow(xmlParserCtxtPtr ctxt) {
|
|
if (buf->error != 0)
|
|
return(-1);
|
|
|
|
- if (((curEnd > XML_MAX_LOOKUP_LIMIT) ||
|
|
- (curBase > XML_MAX_LOOKUP_LIMIT)) &&
|
|
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
- xmlErrMemory(ctxt, "Huge input lookup");
|
|
+ if (curBase > maxLength) {
|
|
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
|
|
+ "Buffer size limit exceeded, try XML_PARSE_HUGE\n");
|
|
xmlHaltParser(ctxt);
|
|
return(-1);
|
|
}
|
|
--
|
|
2.54.0
|
|
|