shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-01-12 09:17:37 +03:00
Code

Fix return value of xmlOutputBufferWrite

Browse Source 
When using memory buffers, the total size of the buffer was added
again and again, potentially leading to an integer overflow.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2019-05-15 12:47:28 +02:00
parent 3c0d62b419
commit 407b393d80
1 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
xmlIO.c
View File

@ -3372,20 +3372,26 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
out->error = XML_IO_ENCODER;
return(-1);
}
nbchars = xmlBufUse(out->conv);
if (out->writecallback)
nbchars = xmlBufUse(out->conv);
else
nbchars = ret;
} else {
ret = xmlBufAdd(out->buffer, (const xmlChar *) buf, chunk);
if (ret != 0)
return(-1);
nbchars = xmlBufUse(out->buffer);
if (out->writecallback)
nbchars = xmlBufUse(out->buffer);
else
nbchars = chunk;
}
buf += chunk;
len -= chunk;
if ((nbchars < MINLEN) && (len <= 0))
goto done;
if (out->writecallback) {
if ((nbchars < MINLEN) && (len <= 0))
goto done;
/*
* second write the stuff to the I/O channel
*/
@ -3561,21 +3567,27 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
out->error = XML_IO_ENCODER;
return(-1);
}
nbchars = xmlBufUse(out->conv);
if (out->writecallback)
nbchars = xmlBufUse(out->conv);
else
nbchars = ret;
} else {
ret = escaping(xmlBufEnd(out->buffer), &chunk, str, &cons);
if ((ret < 0) || (chunk == 0)) /* chunk==0 => nothing done */
return(-1);
xmlBufAddLen(out->buffer, chunk);
nbchars = xmlBufUse(out->buffer);
if (out->writecallback)
nbchars = xmlBufUse(out->buffer);
else
nbchars = chunk;
}
str += cons;
len -= cons;
if ((nbchars < MINLEN) && (len <= 0))
goto done;
if (out->writecallback) {
if ((nbchars < MINLEN) && (len <= 0))
goto done;
/*
* second write the stuff to the I/O channel
*/