|
|
9ab939 |
diff -urNp xerces-c-3.1.1/src/xercesc/internal/XMLReader.cpp xerces-c-3.1.1-patch/src/xercesc/internal/XMLReader.cpp
|
|
|
9ab939 |
--- xerces-c-3.1.1/src/xercesc/internal/XMLReader.cpp 2010-01-20 12:06:14.000000000 -0500
|
|
|
9ab939 |
+++ xerces-c-3.1.1-patch/src/xercesc/internal/XMLReader.cpp 2015-06-22 12:20:22.131498873 -0400
|
|
|
9ab939 |
@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
|
|
|
9ab939 |
|
|
|
9ab939 |
while (fRawBufIndex < fRawBytesAvail)
|
|
|
9ab939 |
{
|
|
|
9ab939 |
+ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
|
|
|
9ab939 |
+ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
|
|
|
9ab939 |
+ ThrowXMLwithMemMgr1
|
|
|
9ab939 |
+ (
|
|
|
9ab939 |
+ TranscodingException
|
|
|
9ab939 |
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
|
|
|
9ab939 |
+ , fSystemId
|
|
|
9ab939 |
+ , fMemoryManager
|
|
|
9ab939 |
+ );
|
|
|
9ab939 |
+ }
|
|
|
9ab939 |
+
|
|
|
9ab939 |
// Get out the current 4 byte value and inc our raw buf index
|
|
|
9ab939 |
UCS4Ch curVal = *asUCS++;
|
|
|
9ab939 |
fRawBufIndex += sizeof(UCS4Ch);
|
|
|
9ab939 |
@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
|
|
|
9ab939 |
|
|
|
9ab939 |
while (fRawBufIndex < fRawBytesAvail)
|
|
|
9ab939 |
{
|
|
|
9ab939 |
+ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
|
|
|
9ab939 |
+ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
|
|
|
9ab939 |
+ ThrowXMLwithMemMgr1
|
|
|
9ab939 |
+ (
|
|
|
9ab939 |
+ TranscodingException
|
|
|
9ab939 |
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
|
|
|
9ab939 |
+ , fSystemId
|
|
|
9ab939 |
+ , fMemoryManager
|
|
|
9ab939 |
+ );
|
|
|
9ab939 |
+ }
|
|
|
9ab939 |
+
|
|
|
9ab939 |
// Get out the current 2 byte value
|
|
|
9ab939 |
UTF16Ch curVal = *asUTF16++;
|
|
|
9ab939 |
fRawBufIndex += sizeof(UTF16Ch);
|
|
|
9ab939 |
@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
|
|
|
9ab939 |
//
|
|
|
9ab939 |
void XMLReader::refreshRawBuffer()
|
|
|
9ab939 |
{
|
|
|
9ab939 |
+ // Security fix: make sure we don't underflow on the subtraction.
|
|
|
9ab939 |
+ if (fRawBufIndex > fRawBytesAvail) {
|
|
|
9ab939 |
+ ThrowXMLwithMemMgr1
|
|
|
9ab939 |
+ (
|
|
|
9ab939 |
+ RuntimeException
|
|
|
9ab939 |
+ , XMLExcepts::Str_StartIndexPastEnd
|
|
|
9ab939 |
+ , fSystemId
|
|
|
9ab939 |
+ , fMemoryManager
|
|
|
9ab939 |
+ );
|
|
|
9ab939 |
+ }
|
|
|
9ab939 |
+
|
|
|
9ab939 |
//
|
|
|
9ab939 |
// If there are any bytes left, move them down to the start. There
|
|
|
9ab939 |
// should only ever be (max bytes per char - 1) at the most.
|