merge 3.4 (#26556)
This commit is contained in:
commit
b5ad54990f
|
@ -139,6 +139,8 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283.
|
||||
|
||||
- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
|
||||
Oststrom
|
||||
|
||||
|
|
|
@ -1040,7 +1040,7 @@ XML_GetFeatureList(void);
|
|||
*/
|
||||
#define XML_MAJOR_VERSION 2
|
||||
#define XML_MINOR_VERSION 1
|
||||
#define XML_MICRO_VERSION 0
|
||||
#define XML_MICRO_VERSION 1
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
@ -1550,7 +1550,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
|
|||
else if (bufferPtr == bufferEnd) {
|
||||
const char *end;
|
||||
int nLeftOver;
|
||||
enum XML_Error result;
|
||||
enum XML_Status result;
|
||||
parseEndByteIndex += len;
|
||||
positionPtr = s;
|
||||
ps_finalBuffer = (XML_Bool)isFinal;
|
||||
|
@ -1678,6 +1678,10 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
|
|||
void * XMLCALL
|
||||
XML_GetBuffer(XML_Parser parser, int len)
|
||||
{
|
||||
if (len < 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
switch (ps_parsing) {
|
||||
case XML_SUSPENDED:
|
||||
errorCode = XML_ERROR_SUSPENDED;
|
||||
|
@ -1689,10 +1693,16 @@ XML_GetBuffer(XML_Parser parser, int len)
|
|||
}
|
||||
|
||||
if (len > bufferLim - bufferEnd) {
|
||||
/* FIXME avoid integer overflow */
|
||||
int neededSize = len + (int)(bufferEnd - bufferPtr);
|
||||
#ifdef XML_CONTEXT_BYTES
|
||||
int keep = (int)(bufferPtr - buffer);
|
||||
int keep;
|
||||
#endif
|
||||
int neededSize = len + (int)(bufferEnd - bufferPtr);
|
||||
if (neededSize < 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
#ifdef XML_CONTEXT_BYTES
|
||||
keep = (int)(bufferPtr - buffer);
|
||||
|
||||
if (keep > XML_CONTEXT_BYTES)
|
||||
keep = XML_CONTEXT_BYTES;
|
||||
|
@ -1719,7 +1729,11 @@ XML_GetBuffer(XML_Parser parser, int len)
|
|||
bufferSize = INIT_BUFFER_SIZE;
|
||||
do {
|
||||
bufferSize *= 2;
|
||||
} while (bufferSize < neededSize);
|
||||
} while (bufferSize < neededSize && bufferSize > 0);
|
||||
if (bufferSize <= 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
newBuf = (char *)MALLOC(bufferSize);
|
||||
if (newBuf == 0) {
|
||||
errorCode = XML_ERROR_NO_MEMORY;
|
||||
|
@ -2911,6 +2925,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
|
|||
unsigned long uriHash = hash_secret_salt;
|
||||
((XML_Char *)s)[-1] = 0; /* clear flag */
|
||||
id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
|
||||
if (!id || !id->prefix)
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
b = id->prefix->binding;
|
||||
if (!b)
|
||||
return XML_ERROR_UNBOUND_PREFIX;
|
||||
|
@ -5475,6 +5491,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
|
|||
return NULL;
|
||||
id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
|
||||
sizeof(PREFIX));
|
||||
if (!id->prefix)
|
||||
return NULL;
|
||||
if (id->prefix->name == poolStart(&dtd->pool))
|
||||
poolFinish(&dtd->pool);
|
||||
else
|
||||
|
|
|
@ -1584,7 +1584,7 @@ initScan(const ENCODING * const *encodingTable,
|
|||
if (ptr[0] == '\0') {
|
||||
/* 0 isn't a legal data character. Furthermore a document
|
||||
entity can only start with ASCII characters. So the only
|
||||
way this can fail to be big-endian UTF-16 is if it is an
|
||||
way this can fail to be big-endian UTF-16 if it it's an
|
||||
external parsed general entity that's labelled as
|
||||
UTF-16LE.
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue