1From 6ef16dee7ac8af32b8a0dd793445b1148e240364 Mon Sep 17 00:00:00 2001 2From: David Kilzer <ddkilzer@apple.com> 3Date: Fri, 13 May 2022 14:43:33 -0700 4Subject: [PATCH 300/300] Reserve byte for NUL terminator and report errors 5 consistently in xmlBuf and xmlBuffer 6 7This is a follow-up to commit 6c283d83. 8 9* buf.c: 10(xmlBufGrowInternal): 11- Call xmlBufMemoryError() when the buffer size would overflow. 12- Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. 13- Do not include NUL terminator byte when returning length. 14(xmlBufAdd): 15- Call xmlBufMemoryError() when the buffer size would overflow. 16 17* tree.c: 18(xmlBufferGrow): 19- Call xmlTreeErrMemory() when the buffer size would overflow. 20- Do not include NUL terminator byte when returning length. 21(xmlBufferResize): 22- Update error message in xmlTreeErrMemory() to be consistent 23 with other similar messages. 24(xmlBufferAdd): 25- Call xmlTreeErrMemory() when the buffer size would overflow. 26(xmlBufferAddHead): 27- Add overflow checks similar to those in xmlBufferAdd(). 28 29Reference:https://github.com/GNOME/libxml2/commit/6ef16dee7ac8af32b8a0dd793445b1148e240364 30Conflict:NA 31 32--- 33 buf.c | 15 ++++++++++----- 34 tree.c | 22 ++++++++++++++++------ 35 2 files changed, 26 insertions(+), 11 deletions(-) 36 37diff --git a/buf.c b/buf.c 38index da765f6..e851364 100644 39--- a/buf.c 40+++ b/buf.c 41@@ -440,9 +440,11 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { 42 43 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); 44 if (len < buf->size - buf->use) 45- return(buf->size - buf->use); 46- if (len > SIZE_MAX - buf->use) 47+ return(buf->size - buf->use - 1); 48+ if (len >= SIZE_MAX - buf->use) { 49+ xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); 50 return(0); 51+ } 52 53 if (buf->size > (size_t) len) { 54 size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; 55@@ -455,7 +457,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { 56 /* 57 * Used to provide parsing limits 58 */ 59- if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || 60+ if ((buf->use + len + 1 >= XML_MAX_TEXT_LENGTH) || 61 (buf->size >= XML_MAX_TEXT_LENGTH)) { 62 xmlBufMemoryError(buf, "buffer error: text too long\n"); 63 return(0); 64@@ -483,7 +485,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { 65 } 66 buf->size = size; 67 UPDATE_COMPAT(buf) 68- return(buf->size - buf->use); 69+ return(buf->size - buf->use - 1); 70 } 71 72 /** 73@@ -883,9 +885,12 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { 74 if (len < 0) return -1; 75 if (len == 0) return 0; 76 77+ /* Note that both buf->size and buf->use can be zero here. */ 78 if ((size_t) len >= buf->size - buf->use) { 79- if ((size_t) len >= SIZE_MAX - buf->use) 80+ if ((size_t) len >= SIZE_MAX - buf->use) { 81+ xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); 82 return(-1); 83+ } 84 needSize = buf->use + len + 1; 85 if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { 86 /* 87diff --git a/tree.c b/tree.c 88index e275671..ed0a838 100644 89--- a/tree.c 90+++ b/tree.c 91@@ -7338,8 +7338,10 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { 92 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); 93 if (len < buf->size - buf->use) 94 return(0); 95- if (len > UINT_MAX - buf->use) 96+ if (len >= UINT_MAX - buf->use) { 97+ xmlTreeErrMemory("growing buffer past UINT_MAX"); 98 return(-1); 99+ } 100 101 if (buf->size > (size_t) len) { 102 size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2; 103@@ -7367,7 +7369,7 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { 104 buf->content = newbuf; 105 } 106 buf->size = size; 107- return(buf->size - buf->use); 108+ return(buf->size - buf->use - 1); 109 } 110 111 /** 112@@ -7464,7 +7466,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) 113 return 1; 114 115 if (size > UINT_MAX - 10) { 116- xmlTreeErrMemory("growing buffer"); 117+ xmlTreeErrMemory("growing buffer past UINT_MAX"); 118 return 0; 119 } 120 121@@ -7592,9 +7594,12 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) { 122 if (len < 0) return -1; 123 if (len == 0) return 0; 124 125+ /* Note that both buf->size and buf->use can be zero here. */ 126 if ((unsigned) len >= buf->size - buf->use) { 127- if ((unsigned) len >= UINT_MAX - buf->use) 128+ if ((unsigned) len >= UINT_MAX - buf->use) { 129+ xmlTreeErrMemory("growing buffer past UINT_MAX"); 130 return XML_ERR_NO_MEMORY; 131+ } 132 needSize = buf->use + len + 1; 133 if (!xmlBufferResize(buf, needSize)){ 134 xmlTreeErrMemory("growing buffer"); 135@@ -7663,8 +7668,13 @@ xmlBufferAddHead(xmlBufferPtr buf, const xmlChar *str, int len) { 136 return(0); 137 } 138 } 139- needSize = buf->use + len + 2; 140- if (needSize > buf->size){ 141+ /* Note that both buf->size and buf->use can be zero here. */ 142+ if ((unsigned) len >= buf->size - buf->use) { 143+ if ((unsigned) len >= UINT_MAX - buf->use) { 144+ xmlTreeErrMemory("growing buffer past UINT_MAX"); 145+ return(-1); 146+ } 147+ needSize = buf->use + len + 1; 148 if (!xmlBufferResize(buf, needSize)){ 149 xmlTreeErrMemory("growing buffer"); 150 return XML_ERR_NO_MEMORY; 151-- 1522.27.0 153 154