|
Lines 1-77
Link Here
|
| 1 |
Found at https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c on 2015-07-27. Modified: replaced path parser/expat/lib/xmlparse.c with lib/xmlparse.c. |
|
|
| 2 |
diff --git a/lib/xmlparse.c b/lib/xmlparse.c |
| 3 |
--- a/lib/xmlparse.c |
| 4 |
+++ b/lib/xmlparse.c |
| 5 |
@@ -1646,29 +1646,40 @@ XML_ParseBuffer(XML_Parser parser, int l |
| 6 |
XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); |
| 7 |
positionPtr = bufferPtr; |
| 8 |
return result; |
| 9 |
} |
| 10 |
|
| 11 |
void * XMLCALL |
| 12 |
XML_GetBuffer(XML_Parser parser, int len) |
| 13 |
{ |
| 14 |
+/* BEGIN MOZILLA CHANGE (sanity check len) */ |
| 15 |
+ if (len < 0) { |
| 16 |
+ errorCode = XML_ERROR_NO_MEMORY; |
| 17 |
+ return NULL; |
| 18 |
+ } |
| 19 |
+/* END MOZILLA CHANGE */ |
| 20 |
switch (ps_parsing) { |
| 21 |
case XML_SUSPENDED: |
| 22 |
errorCode = XML_ERROR_SUSPENDED; |
| 23 |
return NULL; |
| 24 |
case XML_FINISHED: |
| 25 |
errorCode = XML_ERROR_FINISHED; |
| 26 |
return NULL; |
| 27 |
default: ; |
| 28 |
} |
| 29 |
|
| 30 |
if (len > bufferLim - bufferEnd) { |
| 31 |
- /* FIXME avoid integer overflow */ |
| 32 |
int neededSize = len + (int)(bufferEnd - bufferPtr); |
| 33 |
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ |
| 34 |
+ if (neededSize < 0) { |
| 35 |
+ errorCode = XML_ERROR_NO_MEMORY; |
| 36 |
+ return NULL; |
| 37 |
+ } |
| 38 |
+/* END MOZILLA CHANGE */ |
| 39 |
#ifdef XML_CONTEXT_BYTES |
| 40 |
int keep = (int)(bufferPtr - buffer); |
| 41 |
|
| 42 |
if (keep > XML_CONTEXT_BYTES) |
| 43 |
keep = XML_CONTEXT_BYTES; |
| 44 |
neededSize += keep; |
| 45 |
#endif /* defined XML_CONTEXT_BYTES */ |
| 46 |
if (neededSize <= bufferLim - buffer) { |
| 47 |
@@ -1687,17 +1698,25 @@ XML_GetBuffer(XML_Parser parser, int len |
| 48 |
} |
| 49 |
else { |
| 50 |
char *newBuf; |
| 51 |
int bufferSize = (int)(bufferLim - bufferPtr); |
| 52 |
if (bufferSize == 0) |
| 53 |
bufferSize = INIT_BUFFER_SIZE; |
| 54 |
do { |
| 55 |
bufferSize *= 2; |
| 56 |
- } while (bufferSize < neededSize); |
| 57 |
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ |
| 58 |
+ } while (bufferSize < neededSize && bufferSize > 0); |
| 59 |
+/* END MOZILLA CHANGE */ |
| 60 |
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ |
| 61 |
+ if (bufferSize <= 0) { |
| 62 |
+ errorCode = XML_ERROR_NO_MEMORY; |
| 63 |
+ return NULL; |
| 64 |
+ } |
| 65 |
+/* END MOZILLA CHANGE */ |
| 66 |
newBuf = (char *)MALLOC(bufferSize); |
| 67 |
if (newBuf == 0) { |
| 68 |
errorCode = XML_ERROR_NO_MEMORY; |
| 69 |
return NULL; |
| 70 |
} |
| 71 |
bufferLim = newBuf + bufferSize; |
| 72 |
#ifdef XML_CONTEXT_BYTES |
| 73 |
if (bufferPtr) { |
| 74 |
|
| 75 |
|
| 76 |
|
| 77 |
|