Hi,
First, thank you for your time and efforts in supporting libxml2!
While updating to the latest version I ran in to an issue in parser.c with the
xmlGROW routine.
The issue is with the way it compiles and runs under windows:.
Line 2042
The current version uses:
if ((((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) ||
((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
((ctxt->input->buf) && (ctxt->input->buf->readcallback !=
(xmlInputReadCallback) xmlNop)) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
However, the issue is that cur, end, and base don't compare correctly under all
conditions (large pointers) and this has caused crashes in poorly
formulated(erroneous) xml.
I've modified this in our code to use:
unsigned long curEnd = ctxt->input->end - ctxt->input->cur;
unsigned long curBase = ctxt->input->cur - ctxt->input->base;
if (((curEnd > (unsigned long)XML_MAX_LOOKUP_LIMIT) || (curBase > (unsigned
long)XML_MAX_LOOKUP_LIMIT)) &&
((ctxt->input->buf) && (ctxt->input->buf->readcallback !=
(xmlInputReadCallback) xmlNop)) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
Which forces the system to do unsigned comparisons and eliminated the crash.
Thanks again for your efforts!
Best Regards,
Jon Longstreth
This message has been scanned for malware by Websense. www.websense.com
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
https://mail.gnome.org/mailman/listinfo/xml
