Author: scantor Date: Thu Mar 19 20:56:46 2015 New Revision: 1667870 URL: http://svn.apache.org/r1667870 Log: Work on XML declaration handling
Modified: xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp Modified: xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp URL: http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp?rev=1667870&r1=1667869&r2=1667870&view=diff ============================================================================== --- xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp (original) +++ xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp Thu Mar 19 20:56:46 2015 @@ -1459,6 +1459,17 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { + // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume. + if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + // Get out the current 4 byte value and inc our raw buf index UCS4Ch curVal = *asUCS++; fRawBufIndex += sizeof(UCS4Ch); @@ -1618,6 +1629,17 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { + // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume. + if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + // Get out the current 2 byte value UTF16Ch curVal = *asUTF16++; fRawBufIndex += sizeof(UTF16Ch); @@ -1707,6 +1729,17 @@ void XMLReader::doInitDecode() // void XMLReader::refreshRawBuffer() { + // Security fix: make sure we don't underflow on the subtraction. + if (fRawBufIndex > fRawBytesAvail) { + ThrowXMLwithMemMgr1 + ( + RuntimeException + , XMLExcepts::Str_StartIndexPastEnd + , fSystemId + , fMemoryManager + ); + } + // // If there are any bytes left, move them down to the start. There // should only ever be (max bytes per char - 1) at the most. --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@xerces.apache.org For additional commands, e-mail: commits-h...@xerces.apache.org