• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 4951c462eae68562df335ff6d611f4352ea9931d Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sun, 6 Mar 2022 02:29:00 +0100
4Subject: [PATCH] Avoid arithmetic on freed pointers
5
6Conflict:NA
7Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/4951c462eae68562df335ff6d611f4352ea9931d
8
9---
10 parserInternals.c | 45 +++++++++------------------------------------
11 1 file changed, 9 insertions(+), 36 deletions(-)
12
13diff --git a/parserInternals.c b/parserInternals.c
14index c5c0b16..d68592f 100644
15--- a/parserInternals.c
16+++ b/parserInternals.c
17@@ -300,7 +300,6 @@ int
18 xmlParserInputGrow(xmlParserInputPtr in, int len) {
19     int ret;
20     size_t indx;
21-    const xmlChar *content;
22
23     if ((in == NULL) || (len < 0)) return(-1);
24 #ifdef DEBUG_INPUT
25@@ -325,22 +324,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) {
26     } else
27         return(0);
28
29-    /*
30-     * NOTE : in->base may be a "dangling" i.e. freed pointer in this
31-     *        block, but we use it really as an integer to do some
32-     *        pointer arithmetic. Insure will raise it as a bug but in
33-     *        that specific case, that's not !
34-     */
35-
36-    content = xmlBufContent(in->buf->buffer);
37-    if (in->base != content) {
38-        /*
39-	 * the buffer has been reallocated
40-	 */
41-	indx = in->cur - in->base;
42-	in->base = content;
43-	in->cur = &content[indx];
44-    }
45+    in->base = xmlBufContent(in->buf->buffer);
46+    in->cur = in->base + indx;
47     in->end = xmlBufEnd(in->buf->buffer);
48
49     CHECK_BUFFER(in);
50@@ -358,8 +343,6 @@ void
51 xmlParserInputShrink(xmlParserInputPtr in) {
52     size_t used;
53     size_t ret;
54-    size_t indx;
55-    const xmlChar *content;
56
57 #ifdef DEBUG_INPUT
58     xmlGenericError(xmlGenericErrorContext, "Shrink\n");
59@@ -372,7 +355,7 @@ xmlParserInputShrink(xmlParserInputPtr in) {
60
61     CHECK_BUFFER(in);
62
63-    used = in->cur - xmlBufContent(in->buf->buffer);
64+    used = in->cur - in->base;
65     /*
66      * Do not shrink on large buffers whose only a tiny fraction
67      * was consumed
68@@ -380,27 +363,17 @@ xmlParserInputShrink(xmlParserInputPtr in) {
69     if (used > INPUT_CHUNK) {
70 	ret = xmlBufShrink(in->buf->buffer, used - LINE_LEN);
71 	if (ret > 0) {
72-	    in->cur -= ret;
73+            used -= ret;
74 	    in->consumed += ret;
75 	}
76-	in->end = xmlBufEnd(in->buf->buffer);
77     }
78
79-    CHECK_BUFFER(in);
80-
81-    if (xmlBufUse(in->buf->buffer) > INPUT_CHUNK) {
82-        return;
83-    }
84-    xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK);
85-    content = xmlBufContent(in->buf->buffer);
86-    if (in->base != content) {
87-        /*
88-	 * the buffer has been reallocated
89-	 */
90-	indx = in->cur - in->base;
91-	in->base = content;
92-	in->cur = &content[indx];
93+    if (xmlBufUse(in->buf->buffer) <= INPUT_CHUNK) {
94+        xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK);
95     }
96+
97+    in->base = xmlBufContent(in->buf->buffer);
98+    in->cur = in->base + used;
99     in->end = xmlBufEnd(in->buf->buffer);
100
101     CHECK_BUFFER(in);
102--
1032.27.0
104
105