(xerces-c) branch xerces-3.3 updated: XERCESC-2250 - Curl NetAccessor mishandles larger data with error

[scantor]

This is an automated email from the ASF dual-hosted git repository.

scantor pushed a commit to branch xerces-3.3
in repository https://gitbox.apache.org/repos/asf/xerces-c.git


The following commit(s) were added to refs/heads/xerces-3.3 by this push:
     new 269645b83 XERCESC-2250 - Curl NetAccessor mishandles larger data with 
error
269645b83 is described below

commit 269645b83bce58dc8def2a8f5374284aa938630f
Author: Scott Cantor <canto...@osu.edu>
AuthorDate: Mon Sep 23 15:41:46 2024 -0400

    XERCESC-2250 - Curl NetAccessor mishandles larger data with error
    
    Add hard limit on buffer size of 1G.
---
 src/xercesc/util/NetAccessors/Curl/CurlURLInputStream.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/xercesc/util/NetAccessors/Curl/CurlURLInputStream.cpp 
b/src/xercesc/util/NetAccessors/Curl/CurlURLInputStream.cpp
index b05ae5e40..513a9e8c1 100644
--- a/src/xercesc/util/NetAccessors/Curl/CurlURLInputStream.cpp
+++ b/src/xercesc/util/NetAccessors/Curl/CurlURLInputStream.cpp
@@ -39,6 +39,8 @@
   #include <sys/time.h>
 #endif
 
+#include <algorithm>
+
 #include <xercesc/util/XercesDefs.hpp>
 #include <xercesc/util/XMLNetAccessor.hpp>
 #include <xercesc/util/NetAccessors/Curl/CurlURLInputStream.hpp>
@@ -52,6 +54,7 @@
 
 XERCES_CPP_NAMESPACE_BEGIN
 
+#define MAX_CURL_ALLOC_SIZE 1073741824
 
 CurlURLInputStream::CurlURLInputStream(const XMLURL& urlSource, const 
XMLNetHTTPInfo* httpInfo/*=0*/)
       : fMulti(0)
@@ -268,7 +271,11 @@ CurlURLInputStream::writeCallback(char *buffer,
                 XMLSize_t bufAvail = fBufferSize - (fBufferHeadPtr - fBuffer);
                 if (bufAvail < cnt) {
                     // Enlarge the buffer.
-                    XMLByte* newbuf = 
reinterpret_cast<XMLByte*>(fMemoryManager->allocate(fBufferSize + (cnt - 
bufAvail)));
+                    XMLSize_t newsize = fBufferSize + (cnt - bufAvail);
+                    if (newsize > MAX_CURL_ALLOC_SIZE) {
+                        return 0;
+                    }
+                    XMLByte* newbuf = 
reinterpret_cast<XMLByte*>(fMemoryManager->allocate(newsize));
                     if (!newbuf) {
                         // Enlarge attempt failed, signal error back to 
libcurl.
                         // The dedicated error code is a recent libcurl 
addition so is not portable.
@@ -276,7 +283,7 @@ CurlURLInputStream::writeCallback(char *buffer,
                     }
                     // Not a realloc, so we have to copy the data from old to 
new.
                     memcpy(newbuf, fBuffer, fBufferHeadPtr - fBuffer);
-                    fBufferSize = fBufferSize + (cnt - bufAvail);
+                    fBufferSize = newsize;
                     //printf("enlarged buffer to %u bytes", fBufferSize);
                     fBufferHeadPtr = newbuf + (fBufferHeadPtr - fBuffer);
                     fMemoryManager->deallocate(fBuffer);


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org