bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022)

This commit is contained in:
Cyril Jouve 2022-02-12 16:29:41 +01:00 committed by GitHub
parent 168fd6453b
commit 8aaaf7e182
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 238 additions and 31 deletions

View File

@ -0,0 +1 @@
expat: Update libexpat from 2.4.1 to 2.4.4

View File

@ -11,7 +11,7 @@
Copyright (c) 2000-2005 Fred L. Drake, Jr. <fdrake@users.sourceforge.net> Copyright (c) 2000-2005 Fred L. Drake, Jr. <fdrake@users.sourceforge.net>
Copyright (c) 2001-2002 Greg Stein <gstein@users.sourceforge.net> Copyright (c) 2001-2002 Greg Stein <gstein@users.sourceforge.net>
Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net> Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net>
Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org> Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org>
Copyright (c) 2016 Cristian Rodríguez <crrodriguez@opensuse.org> Copyright (c) 2016 Cristian Rodríguez <crrodriguez@opensuse.org>
Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de> Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de>
Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk> Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk>
@ -1041,7 +1041,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
*/ */
#define XML_MAJOR_VERSION 2 #define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 4 #define XML_MINOR_VERSION 4
#define XML_MICRO_VERSION 1 #define XML_MICRO_VERSION 4
#ifdef __cplusplus #ifdef __cplusplus
} }

View File

@ -1,4 +1,4 @@
/* 8539b9040d9d901366a62560a064af7cb99811335784b363abc039c5b0ebc416 (2.4.1+) /* 2e2c8ce5f11a473d65ec313ab20ceee6afefb355f5405afc06e7204e2e41c8c0 (2.4.4+)
__ __ _ __ __ _
___\ \/ /_ __ __ _| |_ ___\ \/ /_ __ __ _| |_
/ _ \\ /| '_ \ / _` | __| / _ \\ /| '_ \ / _` | __|
@ -13,7 +13,7 @@
Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net> Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net>
Copyright (c) 2005-2009 Steven Solie <ssolie@users.sourceforge.net> Copyright (c) 2005-2009 Steven Solie <ssolie@users.sourceforge.net>
Copyright (c) 2016 Eric Rahm <erahm@mozilla.com> Copyright (c) 2016 Eric Rahm <erahm@mozilla.com>
Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org> Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org>
Copyright (c) 2016 Gaurav <g.gupta@samsung.com> Copyright (c) 2016 Gaurav <g.gupta@samsung.com>
Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de> Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de>
Copyright (c) 2016 Gustavo Grieco <gustavo.grieco@imag.fr> Copyright (c) 2016 Gustavo Grieco <gustavo.grieco@imag.fr>
@ -32,6 +32,8 @@
Copyright (c) 2019 David Loffredo <loffredo@steptools.com> Copyright (c) 2019 David Loffredo <loffredo@steptools.com>
Copyright (c) 2019-2020 Ben Wagner <bungeman@chromium.org> Copyright (c) 2019-2020 Ben Wagner <bungeman@chromium.org>
Copyright (c) 2019 Vadim Zeitlin <vadim@zeitlins.org> Copyright (c) 2019 Vadim Zeitlin <vadim@zeitlins.org>
Copyright (c) 2021 Dong-hee Na <donghee.na@python.org>
Copyright (c) 2022 Samanta Navarro <ferivoz@riseup.net>
Licensed under the MIT license: Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining Permission is hereby granted, free of charge, to any person obtaining
@ -54,6 +56,10 @@
USE OR OTHER DEALINGS IN THE SOFTWARE. USE OR OTHER DEALINGS IN THE SOFTWARE.
*/ */
#define XML_BUILDING_EXPAT 1
#include <expat_config.h>
#if ! defined(_GNU_SOURCE) #if ! defined(_GNU_SOURCE)
# define _GNU_SOURCE 1 /* syscall prototype */ # define _GNU_SOURCE 1 /* syscall prototype */
#endif #endif
@ -84,14 +90,10 @@
# include <errno.h> # include <errno.h>
#endif #endif
#define XML_BUILDING_EXPAT 1
#ifdef _WIN32 #ifdef _WIN32
# include "winconfig.h" # include "winconfig.h"
#endif #endif
#include <expat_config.h>
#include "ascii.h" #include "ascii.h"
#include "expat.h" #include "expat.h"
#include "siphash.h" #include "siphash.h"
@ -973,7 +975,7 @@ parserCreate(const XML_Char *encodingName,
if (memsuite) { if (memsuite) {
XML_Memory_Handling_Suite *mtemp; XML_Memory_Handling_Suite *mtemp;
parser = (XML_Parser)memsuite->malloc_fcn(sizeof(struct XML_ParserStruct)); parser = memsuite->malloc_fcn(sizeof(struct XML_ParserStruct));
if (parser != NULL) { if (parser != NULL) {
mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem); mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem);
mtemp->malloc_fcn = memsuite->malloc_fcn; mtemp->malloc_fcn = memsuite->malloc_fcn;
@ -2066,6 +2068,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
if (keep > XML_CONTEXT_BYTES) if (keep > XML_CONTEXT_BYTES)
keep = XML_CONTEXT_BYTES; keep = XML_CONTEXT_BYTES;
/* Detect and prevent integer overflow */
if (keep > INT_MAX - neededSize) {
parser->m_errorCode = XML_ERROR_NO_MEMORY;
return NULL;
}
neededSize += keep; neededSize += keep;
#endif /* defined XML_CONTEXT_BYTES */ #endif /* defined XML_CONTEXT_BYTES */
if (neededSize if (neededSize
@ -3260,13 +3267,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
/* get the attributes from the tokenizer */ /* get the attributes from the tokenizer */
n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts); n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
/* Detect and prevent integer overflow */
if (n > INT_MAX - nDefaultAtts) {
return XML_ERROR_NO_MEMORY;
}
if (n + nDefaultAtts > parser->m_attsSize) { if (n + nDefaultAtts > parser->m_attsSize) {
int oldAttsSize = parser->m_attsSize; int oldAttsSize = parser->m_attsSize;
ATTRIBUTE *temp; ATTRIBUTE *temp;
#ifdef XML_ATTR_INFO #ifdef XML_ATTR_INFO
XML_AttrInfo *temp2; XML_AttrInfo *temp2;
#endif #endif
/* Detect and prevent integer overflow */
if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
|| (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
return XML_ERROR_NO_MEMORY;
}
parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
parser->m_attsSize = oldAttsSize;
return XML_ERROR_NO_MEMORY;
}
#endif
temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
parser->m_attsSize * sizeof(ATTRIBUTE)); parser->m_attsSize * sizeof(ATTRIBUTE));
if (temp == NULL) { if (temp == NULL) {
@ -3275,6 +3307,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
} }
parser->m_atts = temp; parser->m_atts = temp;
#ifdef XML_ATTR_INFO #ifdef XML_ATTR_INFO
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
# if UINT_MAX >= SIZE_MAX
if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
parser->m_attsSize = oldAttsSize;
return XML_ERROR_NO_MEMORY;
}
# endif
temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
parser->m_attsSize * sizeof(XML_AttrInfo)); parser->m_attsSize * sizeof(XML_AttrInfo));
if (temp2 == NULL) { if (temp2 == NULL) {
@ -3413,7 +3456,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
if (nPrefixes) { if (nPrefixes) {
int j; /* hash table index */ int j; /* hash table index */
unsigned long version = parser->m_nsAttsVersion; unsigned long version = parser->m_nsAttsVersion;
int nsAttsSize = (int)1 << parser->m_nsAttsPower;
/* Detect and prevent invalid shift */
if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
return XML_ERROR_NO_MEMORY;
}
unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
unsigned char oldNsAttsPower = parser->m_nsAttsPower; unsigned char oldNsAttsPower = parser->m_nsAttsPower;
/* size of hash table must be at least 2 * (# of prefixed attributes) */ /* size of hash table must be at least 2 * (# of prefixed attributes) */
if ((nPrefixes << 1) if ((nPrefixes << 1)
@ -3424,7 +3473,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
; ;
if (parser->m_nsAttsPower < 3) if (parser->m_nsAttsPower < 3)
parser->m_nsAttsPower = 3; parser->m_nsAttsPower = 3;
nsAttsSize = (int)1 << parser->m_nsAttsPower;
/* Detect and prevent invalid shift */
if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
/* Restore actual size of memory in m_nsAtts */
parser->m_nsAttsPower = oldNsAttsPower;
return XML_ERROR_NO_MEMORY;
}
nsAttsSize = 1u << parser->m_nsAttsPower;
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
/* Restore actual size of memory in m_nsAtts */
parser->m_nsAttsPower = oldNsAttsPower;
return XML_ERROR_NO_MEMORY;
}
#endif
temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts, temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
nsAttsSize * sizeof(NS_ATT)); nsAttsSize * sizeof(NS_ATT));
if (! temp) { if (! temp) {
@ -3582,9 +3652,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
tagNamePtr->prefixLen = prefixLen; tagNamePtr->prefixLen = prefixLen;
for (i = 0; localPart[i++];) for (i = 0; localPart[i++];)
; /* i includes null terminator */ ; /* i includes null terminator */
/* Detect and prevent integer overflow */
if (binding->uriLen > INT_MAX - prefixLen
|| i > INT_MAX - (binding->uriLen + prefixLen)) {
return XML_ERROR_NO_MEMORY;
}
n = i + binding->uriLen + prefixLen; n = i + binding->uriLen + prefixLen;
if (n > binding->uriAlloc) { if (n > binding->uriAlloc) {
TAG *p; TAG *p;
/* Detect and prevent integer overflow */
if (n > INT_MAX - EXPAND_SPARE) {
return XML_ERROR_NO_MEMORY;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
return XML_ERROR_NO_MEMORY;
}
#endif
uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char)); uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
if (! uri) if (! uri)
return XML_ERROR_NO_MEMORY; return XML_ERROR_NO_MEMORY;
@ -3680,6 +3772,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
if (parser->m_freeBindingList) { if (parser->m_freeBindingList) {
b = parser->m_freeBindingList; b = parser->m_freeBindingList;
if (len > b->uriAlloc) { if (len > b->uriAlloc) {
/* Detect and prevent integer overflow */
if (len > INT_MAX - EXPAND_SPARE) {
return XML_ERROR_NO_MEMORY;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
return XML_ERROR_NO_MEMORY;
}
#endif
XML_Char *temp = (XML_Char *)REALLOC( XML_Char *temp = (XML_Char *)REALLOC(
parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
if (temp == NULL) if (temp == NULL)
@ -3692,6 +3799,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
b = (BINDING *)MALLOC(parser, sizeof(BINDING)); b = (BINDING *)MALLOC(parser, sizeof(BINDING));
if (! b) if (! b)
return XML_ERROR_NO_MEMORY; return XML_ERROR_NO_MEMORY;
/* Detect and prevent integer overflow */
if (len > INT_MAX - EXPAND_SPARE) {
return XML_ERROR_NO_MEMORY;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
return XML_ERROR_NO_MEMORY;
}
#endif
b->uri b->uri
= (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE)); = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
if (! b->uri) { if (! b->uri) {
@ -3976,7 +4098,7 @@ initializeEncoding(XML_Parser parser) {
const char *s; const char *s;
#ifdef XML_UNICODE #ifdef XML_UNICODE
char encodingBuf[128]; char encodingBuf[128];
/* See comments about `protoclEncodingName` in parserInit() */ /* See comments about `protocolEncodingName` in parserInit() */
if (! parser->m_protocolEncodingName) if (! parser->m_protocolEncodingName)
s = NULL; s = NULL;
else { else {
@ -5018,6 +5140,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
if (parser->m_prologState.level >= parser->m_groupSize) { if (parser->m_prologState.level >= parser->m_groupSize) {
if (parser->m_groupSize) { if (parser->m_groupSize) {
{ {
/* Detect and prevent integer overflow */
if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
return XML_ERROR_NO_MEMORY;
}
char *const new_connector = (char *)REALLOC( char *const new_connector = (char *)REALLOC(
parser, parser->m_groupConnector, parser->m_groupSize *= 2); parser, parser->m_groupConnector, parser->m_groupSize *= 2);
if (new_connector == NULL) { if (new_connector == NULL) {
@ -5028,6 +5155,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
} }
if (dtd->scaffIndex) { if (dtd->scaffIndex) {
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
return XML_ERROR_NO_MEMORY;
}
#endif
int *const new_scaff_index = (int *)REALLOC( int *const new_scaff_index = (int *)REALLOC(
parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
if (new_scaff_index == NULL) if (new_scaff_index == NULL)
@ -5236,7 +5373,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
if (dtd->in_eldecl) { if (dtd->in_eldecl) {
ELEMENT_TYPE *el; ELEMENT_TYPE *el;
const XML_Char *name; const XML_Char *name;
int nameLen; size_t nameLen;
const char *nxt const char *nxt
= (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
int myindex = nextScaffoldPart(parser); int myindex = nextScaffoldPart(parser);
@ -5252,7 +5389,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
nameLen = 0; nameLen = 0;
for (; name[nameLen++];) for (; name[nameLen++];)
; ;
dtd->contentStringLen += nameLen;
/* Detect and prevent integer overflow */
if (nameLen > UINT_MAX - dtd->contentStringLen) {
return XML_ERROR_NO_MEMORY;
}
dtd->contentStringLen += (unsigned)nameLen;
if (parser->m_elementDeclHandler) if (parser->m_elementDeclHandler)
handleDefault = XML_FALSE; handleDefault = XML_FALSE;
} }
@ -6098,7 +6241,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
} }
} else { } else {
DEFAULT_ATTRIBUTE *temp; DEFAULT_ATTRIBUTE *temp;
/* Detect and prevent integer overflow */
if (type->allocDefaultAtts > INT_MAX / 2) {
return 0;
}
int count = type->allocDefaultAtts * 2; int count = type->allocDefaultAtts * 2;
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
return 0;
}
#endif
temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts, temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
(count * sizeof(DEFAULT_ATTRIBUTE))); (count * sizeof(DEFAULT_ATTRIBUTE)));
if (temp == NULL) if (temp == NULL)
@ -6388,7 +6548,7 @@ normalizePublicId(XML_Char *publicId) {
static DTD * static DTD *
dtdCreate(const XML_Memory_Handling_Suite *ms) { dtdCreate(const XML_Memory_Handling_Suite *ms) {
DTD *p = (DTD *)ms->malloc_fcn(sizeof(DTD)); DTD *p = ms->malloc_fcn(sizeof(DTD));
if (p == NULL) if (p == NULL)
return p; return p;
poolInit(&(p->pool), ms); poolInit(&(p->pool), ms);
@ -6561,8 +6721,8 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
if (! newE) if (! newE)
return 0; return 0;
if (oldE->nDefaultAtts) { if (oldE->nDefaultAtts) {
newE->defaultAtts = (DEFAULT_ATTRIBUTE *)ms->malloc_fcn( newE->defaultAtts
oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
if (! newE->defaultAtts) { if (! newE->defaultAtts) {
return 0; return 0;
} }
@ -6724,7 +6884,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
/* table->size is a power of 2 */ /* table->size is a power of 2 */
table->size = (size_t)1 << INIT_POWER; table->size = (size_t)1 << INIT_POWER;
tsize = table->size * sizeof(NAMED *); tsize = table->size * sizeof(NAMED *);
table->v = (NAMED **)table->mem->malloc_fcn(tsize); table->v = table->mem->malloc_fcn(tsize);
if (! table->v) { if (! table->v) {
table->size = 0; table->size = 0;
return NULL; return NULL;
@ -6749,10 +6909,22 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
/* check for overflow (table is half full) */ /* check for overflow (table is half full) */
if (table->used >> (table->power - 1)) { if (table->used >> (table->power - 1)) {
unsigned char newPower = table->power + 1; unsigned char newPower = table->power + 1;
/* Detect and prevent invalid shift */
if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
return NULL;
}
size_t newSize = (size_t)1 << newPower; size_t newSize = (size_t)1 << newPower;
unsigned long newMask = (unsigned long)newSize - 1; unsigned long newMask = (unsigned long)newSize - 1;
/* Detect and prevent integer overflow */
if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
return NULL;
}
size_t tsize = newSize * sizeof(NAMED *); size_t tsize = newSize * sizeof(NAMED *);
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); NAMED **newV = table->mem->malloc_fcn(tsize);
if (! newV) if (! newV)
return NULL; return NULL;
memset(newV, 0, tsize); memset(newV, 0, tsize);
@ -6781,7 +6953,7 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
} }
} }
} }
table->v[i] = (NAMED *)table->mem->malloc_fcn(createSize); table->v[i] = table->mem->malloc_fcn(createSize);
if (! table->v[i]) if (! table->v[i])
return NULL; return NULL;
memset(table->v[i], 0, createSize); memset(table->v[i], 0, createSize);
@ -7069,7 +7241,7 @@ poolGrow(STRING_POOL *pool) {
if (bytesToAllocate == 0) if (bytesToAllocate == 0)
return XML_FALSE; return XML_FALSE;
tem = (BLOCK *)pool->mem->malloc_fcn(bytesToAllocate); tem = pool->mem->malloc_fcn(bytesToAllocate);
if (! tem) if (! tem)
return XML_FALSE; return XML_FALSE;
tem->size = blockSize; tem->size = blockSize;
@ -7100,6 +7272,20 @@ nextScaffoldPart(XML_Parser parser) {
if (dtd->scaffCount >= dtd->scaffSize) { if (dtd->scaffCount >= dtd->scaffSize) {
CONTENT_SCAFFOLD *temp; CONTENT_SCAFFOLD *temp;
if (dtd->scaffold) { if (dtd->scaffold) {
/* Detect and prevent integer overflow */
if (dtd->scaffSize > UINT_MAX / 2u) {
return -1;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
return -1;
}
#endif
temp = (CONTENT_SCAFFOLD *)REALLOC( temp = (CONTENT_SCAFFOLD *)REALLOC(
parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
if (temp == NULL) if (temp == NULL)
@ -7169,8 +7355,26 @@ build_model(XML_Parser parser) {
XML_Content *ret; XML_Content *ret;
XML_Content *cpos; XML_Content *cpos;
XML_Char *str; XML_Char *str;
int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ (dtd->contentStringLen * sizeof(XML_Char))); /* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
return NULL;
}
if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
return NULL;
}
#endif
if (dtd->scaffCount * sizeof(XML_Content)
> (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
return NULL;
}
const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ (dtd->contentStringLen * sizeof(XML_Char)));
ret = (XML_Content *)MALLOC(parser, allocsize); ret = (XML_Content *)MALLOC(parser, allocsize);
if (! ret) if (! ret)

View File

@ -15,6 +15,7 @@
Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org> Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org>
Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk> Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk>
Copyright (c) 2019 David Loffredo <loffredo@steptools.com> Copyright (c) 2019 David Loffredo <loffredo@steptools.com>
Copyright (c) 2021 Dong-hee Na <donghee.na@python.org>
Licensed under the MIT license: Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining Permission is hereby granted, free of charge, to any person obtaining
@ -37,14 +38,14 @@
USE OR OTHER DEALINGS IN THE SOFTWARE. USE OR OTHER DEALINGS IN THE SOFTWARE.
*/ */
#include <expat_config.h>
#include <stddef.h> #include <stddef.h>
#ifdef _WIN32 #ifdef _WIN32
# include "winconfig.h" # include "winconfig.h"
#endif #endif
#include <expat_config.h>
#include "expat_external.h" #include "expat_external.h"
#include "internal.h" #include "internal.h"
#include "xmlrole.h" #include "xmlrole.h"

View File

@ -20,6 +20,7 @@
Copyright (c) 2017 Benbuck Nason <bnason@netflix.com> Copyright (c) 2017 Benbuck Nason <bnason@netflix.com>
Copyright (c) 2017 José Gutiérrez de la Concha <jose@zeroc.com> Copyright (c) 2017 José Gutiérrez de la Concha <jose@zeroc.com>
Copyright (c) 2019 David Loffredo <loffredo@steptools.com> Copyright (c) 2019 David Loffredo <loffredo@steptools.com>
Copyright (c) 2021 Dong-hee Na <donghee.na@python.org>
Licensed under the MIT license: Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining Permission is hereby granted, free of charge, to any person obtaining
@ -42,16 +43,16 @@
USE OR OTHER DEALINGS IN THE SOFTWARE. USE OR OTHER DEALINGS IN THE SOFTWARE.
*/ */
#ifdef _WIN32
# include "winconfig.h"
#endif
#include <expat_config.h> #include <expat_config.h>
#include <stddef.h> #include <stddef.h>
#include <string.h> /* memcpy */ #include <string.h> /* memcpy */
#include <stdbool.h> #include <stdbool.h>
#ifdef _WIN32
# include "winconfig.h"
#endif
#include "expat_external.h" #include "expat_external.h"
#include "internal.h" #include "internal.h"
#include "xmltok.h" #include "xmltok.h"

View File

@ -11,7 +11,7 @@
Copyright (c) 2002 Greg Stein <gstein@users.sourceforge.net> Copyright (c) 2002 Greg Stein <gstein@users.sourceforge.net>
Copyright (c) 2002 Fred L. Drake, Jr. <fdrake@users.sourceforge.net> Copyright (c) 2002 Fred L. Drake, Jr. <fdrake@users.sourceforge.net>
Copyright (c) 2002-2006 Karl Waclawek <karl@waclawek.net> Copyright (c) 2002-2006 Karl Waclawek <karl@waclawek.net>
Copyright (c) 2017 Sebastian Pipping <sebastian@pipping.org> Copyright (c) 2017-2021 Sebastian Pipping <sebastian@pipping.org>
Licensed under the MIT license: Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining Permission is hereby granted, free of charge, to any person obtaining
@ -93,7 +93,7 @@ NS(XmlInitEncoding)(INIT_ENCODING *p, const ENCODING **encPtr,
static const ENCODING * static const ENCODING *
NS(findEncoding)(const ENCODING *enc, const char *ptr, const char *end) { NS(findEncoding)(const ENCODING *enc, const char *ptr, const char *end) {
# define ENCODING_MAX 128 # define ENCODING_MAX 128
char buf[ENCODING_MAX]; char buf[ENCODING_MAX] = "";
char *p = buf; char *p = buf;
int i; int i;
XmlUtf8Convert(enc, &ptr, end, &p, p + ENCODING_MAX - 1); XmlUtf8Convert(enc, &ptr, end, &p, p + ENCODING_MAX - 1);