shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-09 04:58:16 +03:00
Code

Fix integer overflow when counting written bytes

Browse Source 
Check for integer overflow when updating the `written` member of
struct xmlOutputBuffer in xmlIO.c.

Closes #112. Resolves !54 and !55.
This commit is contained in:
Nick Wellnhofer 2019-10-14 16:56:59 +02:00
parent 1fda32480c
commit 40e00bc517
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
xmlIO.c
View File

@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
out->error = XML_IO_WRITE;
return(ret);
}
out->written += ret;
if (out->written > INT_MAX - ret)
out->written = INT_MAX;
else
out->written += ret;
}
written += nbchars;
} while (len > 0);
@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
out->error = XML_IO_WRITE;
return(ret);
}
out->written += ret;
if (out->written > INT_MAX - ret)
out->written = INT_MAX;
else
out->written += ret;
} else if (xmlBufAvail(out->buffer) < MINLEN) {
xmlBufGrow(out->buffer, MINLEN);
}
@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
out->error = XML_IO_FLUSH;
return(ret);
}
out->written += ret;
if (out->written > INT_MAX - ret)
out->written = INT_MAX;
else
out->written += ret;
#ifdef DEBUG_INPUT
xmlGenericError(xmlGenericErrorContext,