Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent out-of-bounds access in text conversion

Browse Source 
* big2_toUtf8
* little2_toUtf8
* utf8_toUtf8
* utf8_toUtf16
This commit is contained in:
Sebastian Pipping
2016-05-01 23:40:05 +02:00
committed by Vadim Zeitlin
parent 66102231d3
commit c5efe0c7db
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/expat/lib/xmltok.c
View File

@@ -335,7 +335,7 @@ utf8_toUtf8(const ENCODING *enc,
if (((unsigned char)fromLim[-1] & 0xc0) != 0x80) if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
break; break;
} }
for (to = *toP, from = *fromP; from < fromLim; from++, to++) for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
*to = *from; *to = *from;
*fromP = from; *fromP = from;
*toP = to; *toP = to;
@@ -351,10 +351,14 @@ utf8_toUtf16(const ENCODING *enc,
while (from < fromLim && to < toLim) { while (from < fromLim && to < toLim) {
switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) { switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
case BT_LEAD2: case BT_LEAD2:
if (from + 2 > fromLim)
break;
*to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f)); *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
from += 2; from += 2;
break; break;
case BT_LEAD3: case BT_LEAD3:
if (from + 3 > fromLim)
break;
*to++ = (unsigned short)(((from[0] & 0xf) << 12) *to++ = (unsigned short)(((from[0] & 0xf) << 12)
| ((from[1] & 0x3f) << 6) | (from[2] & 0x3f)); | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
from += 3; from += 3;
@@ -364,6 +368,8 @@ utf8_toUtf16(const ENCODING *enc,
unsigned long n; unsigned long n;
if (to + 1 == toLim) if (to + 1 == toLim)
goto after; goto after;
if (from + 4 > fromLim)
goto after;
n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12) n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
| ((from[2] & 0x3f) << 6) | (from[3] & 0x3f); | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
n -= 0x10000; n -= 0x10000;
@@ -583,7 +589,7 @@ E ## toUtf8(const ENCODING *enc, \
*(*toP)++ = ((lo & 0x3f) | 0x80); \ *(*toP)++ = ((lo & 0x3f) | 0x80); \
break; \ break; \
case 0xD8: case 0xD9: case 0xDA: case 0xDB: \ case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
if (toLim - *toP < 4) { \ if ((toLim - *toP < 4) || (from + 4 > fromLim)) { \
*fromP = from; \ *fromP = from; \
return; \ return; \
} \ } \