|
 |
34e147 |
diff -urNp xerces-c-3.1.1-patched/src/xercesc/internal/XMLReader.cpp xerces-c-3.1.1-patched-modified/src/xercesc/internal/XMLReader.cpp
|
|
|
34e147 |
--- xerces-c-3.1.1-patched/src/xercesc/internal/XMLReader.cpp 2016-03-03 11:14:06.855482706 -0500
|
|
|
34e147 |
+++ xerces-c-3.1.1-patched-modified/src/xercesc/internal/XMLReader.cpp 2016-03-03 11:46:23.305567446 -0500
|
|
|
34e147 |
@@ -1460,8 +1460,30 @@ void XMLReader::doInitDecode()
|
|
|
34e147 |
|
|
|
34e147 |
while (fRawBufIndex < fRawBytesAvail)
|
|
|
34e147 |
{
|
|
|
34e147 |
- // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
|
|
|
34e147 |
+ // Make sure there are at least sizeof(UCS4Ch) bytes to consume.
|
|
|
34e147 |
if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
|
|
|
34e147 |
+ fCharsAvail = 0;
|
|
|
34e147 |
+ fRawBufIndex = 0;
|
|
|
34e147 |
+ fMemoryManager->deallocate(fPublicId);
|
|
|
34e147 |
+ fMemoryManager->deallocate(fEncodingStr);
|
|
|
34e147 |
+ ArrayJanitor<XMLCh> janValue(fSystemId, fMemoryManager);
|
|
|
34e147 |
+ ThrowXMLwithMemMgr1
|
|
|
34e147 |
+ (
|
|
|
34e147 |
+ TranscodingException
|
|
|
34e147 |
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
|
|
|
34e147 |
+ , fSystemId
|
|
|
34e147 |
+ , fMemoryManager
|
|
|
34e147 |
+ );
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+
|
|
|
34e147 |
+ // Make sure we don't exhaust the limited prolog buffer size.
|
|
|
34e147 |
+ // Leave room for a space added at the end of this function.
|
|
|
34e147 |
+ if (fCharsAvail == kCharBufSize - 1) {
|
|
|
34e147 |
+ fCharsAvail = 0;
|
|
|
34e147 |
+ fRawBufIndex = 0;
|
|
|
34e147 |
+ fMemoryManager->deallocate(fPublicId);
|
|
|
34e147 |
+ fMemoryManager->deallocate(fEncodingStr);
|
|
|
34e147 |
+ ArrayJanitor<XMLCh> janValue(fSystemId, fMemoryManager);
|
|
|
34e147 |
ThrowXMLwithMemMgr1
|
|
|
34e147 |
(
|
|
|
34e147 |
TranscodingException
|
|
|
34e147 |
@@ -1547,6 +1569,23 @@ void XMLReader::doInitDecode()
|
|
|
34e147 |
const char curCh = *asChars++;
|
|
|
34e147 |
fRawBufIndex++;
|
|
|
34e147 |
|
|
|
34e147 |
+ // Make sure we don't exhaust the limited prolog buffer size.
|
|
|
34e147 |
+ // Leave room for a space added at the end of this function.
|
|
|
34e147 |
+ if (fCharsAvail == kCharBufSize - 1) {
|
|
|
34e147 |
+ fCharsAvail = 0;
|
|
|
34e147 |
+ fRawBufIndex = 0;
|
|
|
34e147 |
+ fMemoryManager->deallocate(fPublicId);
|
|
|
34e147 |
+ fMemoryManager->deallocate(fEncodingStr);
|
|
|
34e147 |
+ ArrayJanitor<XMLCh> janValue(fSystemId, fMemoryManager);
|
|
|
34e147 |
+ ThrowXMLwithMemMgr1
|
|
|
34e147 |
+ (
|
|
|
34e147 |
+ TranscodingException
|
|
|
34e147 |
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
|
|
|
34e147 |
+ , fSystemId
|
|
|
34e147 |
+ , fMemoryManager
|
|
|
34e147 |
+ );
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+
|
|
|
34e147 |
// Looks ok, so store it
|
|
|
34e147 |
fCharSizeBuf[fCharsAvail] = 1;
|
|
|
34e147 |
fCharBuf[fCharsAvail++] = XMLCh(curCh);
|
|
|
34e147 |
@@ -1630,8 +1669,30 @@ void XMLReader::doInitDecode()
|
|
|
34e147 |
|
|
|
34e147 |
while (fRawBufIndex < fRawBytesAvail)
|
|
|
34e147 |
{
|
|
|
34e147 |
- // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
|
|
|
34e147 |
+ // Make sure there are at least sizeof(UTF16Ch) bytes to consume.
|
|
|
34e147 |
if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
|
|
|
34e147 |
+ fCharsAvail = 0;
|
|
|
34e147 |
+ fRawBufIndex = 0;
|
|
|
34e147 |
+ fMemoryManager->deallocate(fPublicId);
|
|
|
34e147 |
+ fMemoryManager->deallocate(fEncodingStr);
|
|
|
34e147 |
+ ArrayJanitor<XMLCh> janValue(fSystemId, fMemoryManager);
|
|
|
34e147 |
+ ThrowXMLwithMemMgr1
|
|
|
34e147 |
+ (
|
|
|
34e147 |
+ TranscodingException
|
|
|
34e147 |
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
|
|
|
34e147 |
+ , fSystemId
|
|
|
34e147 |
+ , fMemoryManager
|
|
|
34e147 |
+ );
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+
|
|
|
34e147 |
+ // Make sure we don't exhaust the limited prolog buffer size.
|
|
|
34e147 |
+ // Leave room for a space added at the end of this function.
|
|
|
34e147 |
+ if (fCharsAvail == kCharBufSize - 1) {
|
|
|
34e147 |
+ fCharsAvail = 0;
|
|
|
34e147 |
+ fRawBufIndex = 0;
|
|
|
34e147 |
+ fMemoryManager->deallocate(fPublicId);
|
|
|
34e147 |
+ fMemoryManager->deallocate(fEncodingStr);
|
|
|
34e147 |
+ ArrayJanitor<XMLCh> janValue(fSystemId, fMemoryManager);
|
|
|
34e147 |
ThrowXMLwithMemMgr1
|
|
|
34e147 |
(
|
|
|
34e147 |
TranscodingException
|
|
|
34e147 |
@@ -1676,6 +1737,24 @@ void XMLReader::doInitDecode()
|
|
|
34e147 |
const XMLCh chCur = XMLEBCDICTranscoder::xlatThisOne(*srcPtr++);
|
|
|
34e147 |
fRawBufIndex++;
|
|
|
34e147 |
|
|
|
34e147 |
+ // Make sure we don't exhaust the limited prolog buffer size.
|
|
|
34e147 |
+ // Leave room for a space added at the end of this function.
|
|
|
34e147 |
+ if (fCharsAvail == kCharBufSize - 1) {
|
|
|
34e147 |
+ fCharsAvail = 0;
|
|
|
34e147 |
+ fRawBufIndex = 0;
|
|
|
34e147 |
+ fMemoryManager->deallocate(fPublicId);
|
|
|
34e147 |
+ fMemoryManager->deallocate(fEncodingStr);
|
|
|
34e147 |
+ ArrayJanitor<XMLCh> janValue(fSystemId, fMemoryManager);
|
|
|
34e147 |
+ ThrowXMLwithMemMgr1
|
|
|
34e147 |
+ (
|
|
|
34e147 |
+ TranscodingException
|
|
|
34e147 |
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
|
|
|
34e147 |
+ , fSystemId
|
|
|
34e147 |
+ , fMemoryManager
|
|
|
34e147 |
+ );
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+
|
|
|
34e147 |
+
|
|
|
34e147 |
//
|
|
|
34e147 |
// And put it into the character buffer. This stuff has to
|
|
|
34e147 |
// look like it was normally transcoded.
|
|
|
34e147 |
@@ -1730,7 +1809,7 @@ void XMLReader::doInitDecode()
|
|
|
34e147 |
//
|
|
|
34e147 |
void XMLReader::refreshRawBuffer()
|
|
|
34e147 |
{
|
|
|
34e147 |
- // Security fix: make sure we don't underflow on the subtraction.
|
|
|
34e147 |
+ // Make sure we don't underflow on the subtraction.
|
|
|
34e147 |
if (fRawBufIndex > fRawBytesAvail) {
|
|
|
34e147 |
ThrowXMLwithMemMgr1
|
|
|
34e147 |
(
|
|
|
34e147 |
diff -urNp xerces-c-3.1.1-patched/src/xercesc/util/XMLUri.cpp xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLUri.cpp
|
|
|
34e147 |
--- xerces-c-3.1.1-patched/src/xercesc/util/XMLUri.cpp 2016-03-03 11:13:54.871619517 -0500
|
|
|
34e147 |
+++ xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLUri.cpp 2016-03-03 11:30:38.593240739 -0500
|
|
|
34e147 |
@@ -875,11 +875,21 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
// check for valid escape sequence
|
|
|
34e147 |
if (testChar == chPercent)
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (index+2 >= end ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+1]) ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
+ if (index + 2 >= end)
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[3];
|
|
|
34e147 |
+ value1[1] = chNull;
|
|
|
34e147 |
+ value1[2] = chNull;
|
|
|
34e147 |
+ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2));
|
|
|
34e147 |
+ ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
+ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence
|
|
|
34e147 |
+ , errMsg_PATH
|
|
|
34e147 |
+ , value1
|
|
|
34e147 |
+ , fMemoryManager);
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+ else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
+ {
|
|
|
34e147 |
+ XMLCh value1[4];
|
|
|
34e147 |
XMLString::moveChars(value1, &(uriSpec[index]), 3);
|
|
|
34e147 |
value1[3] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -892,7 +902,7 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
else if (!isUnreservedCharacter(testChar) &&
|
|
|
34e147 |
!isPathCharacter(testChar))
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[2];
|
|
|
34e147 |
value1[0] = testChar;
|
|
|
34e147 |
value1[1] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -920,11 +930,21 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
// check for valid escape sequence
|
|
|
34e147 |
if (testChar == chPercent)
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (index+2 >= end ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+1]) ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
+ if (index + 2 >= end)
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[3];
|
|
|
34e147 |
+ value1[1] = chNull;
|
|
|
34e147 |
+ value1[2] = chNull;
|
|
|
34e147 |
+ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2));
|
|
|
34e147 |
+ ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
+ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence
|
|
|
34e147 |
+ , errMsg_PATH
|
|
|
34e147 |
+ , value1
|
|
|
34e147 |
+ , fMemoryManager);
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+ else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
+ {
|
|
|
34e147 |
+ XMLCh value1[4];
|
|
|
34e147 |
XMLString::moveChars(value1, &(uriSpec[index]), 3);
|
|
|
34e147 |
value1[3] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -941,7 +961,7 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
// contains '[' and ']'.
|
|
|
34e147 |
else if (!isReservedOrUnreservedCharacter(testChar))
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[2];
|
|
|
34e147 |
value1[0] = testChar;
|
|
|
34e147 |
value1[1] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -979,11 +999,21 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
|
|
|
34e147 |
if (testChar == chPercent)
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (index+2 >= end ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+1]) ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
+ if (index + 2 >= end)
|
|
|
34e147 |
+ {
|
|
|
34e147 |
+ XMLCh value1[3];
|
|
|
34e147 |
+ value1[1] = chNull;
|
|
|
34e147 |
+ value1[2] = chNull;
|
|
|
34e147 |
+ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2));
|
|
|
34e147 |
+ ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
+ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence
|
|
|
34e147 |
+ , errMsg_QUERY
|
|
|
34e147 |
+ , value1
|
|
|
34e147 |
+ , fMemoryManager);
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+ if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[4];
|
|
|
34e147 |
XMLString::moveChars(value1, &(uriSpec[index]), 3);
|
|
|
34e147 |
value1[3] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -995,7 +1025,7 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (!isReservedOrUnreservedCharacter(testChar))
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[2];
|
|
|
34e147 |
value1[0] = testChar;
|
|
|
34e147 |
value1[1] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -1030,11 +1060,21 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
|
|
|
34e147 |
if (testChar == chPercent)
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (index+2 >= end ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+1]) ||
|
|
|
34e147 |
- !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
+ if (index + 2 >= end)
|
|
|
34e147 |
+ {
|
|
|
34e147 |
+ XMLCh value1[3];
|
|
|
34e147 |
+ value1[1] = chNull;
|
|
|
34e147 |
+ value1[2] = chNull;
|
|
|
34e147 |
+ XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2));
|
|
|
34e147 |
+ ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
+ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence
|
|
|
34e147 |
+ , errMsg_FRAGMENT
|
|
|
34e147 |
+ , value1
|
|
|
34e147 |
+ , fMemoryManager);
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+ if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2]))
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[4];
|
|
|
34e147 |
XMLString::moveChars(value1, &(uriSpec[index]), 3);
|
|
|
34e147 |
value1[3] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -1046,7 +1086,7 @@ void XMLUri::initializePath(const XMLCh*
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (!isReservedOrUnreservedCharacter(testChar))
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[2];
|
|
|
34e147 |
value1[0] = testChar;
|
|
|
34e147 |
value1[1] = chNull;
|
|
|
34e147 |
ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
@@ -1410,14 +1450,15 @@ void XMLUri::isConformantUserInfo(const
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (*tmpStr == chPercent) // '%'
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex
|
|
|
34e147 |
- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
+ if (XMLString::stringLen(tmpStr) >= 3
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr+1)) // 1st hex
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
{
|
|
|
34e147 |
tmpStr+=3;
|
|
|
34e147 |
}
|
|
|
34e147 |
else
|
|
|
34e147 |
{
|
|
|
34e147 |
- XMLCh value1[BUF_LEN+1];
|
|
|
34e147 |
+ XMLCh value1[4];
|
|
|
34e147 |
value1[0] = chPercent;
|
|
|
34e147 |
value1[1] = *(tmpStr+1);
|
|
|
34e147 |
value1[2] = *(tmpStr+2);
|
|
|
34e147 |
@@ -1468,8 +1509,9 @@ bool XMLUri::isValidServerBasedAuthority
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (userinfo[index] == chPercent) // '%'
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (XMLString::isHex(userinfo[index+1]) && // 1st hex
|
|
|
34e147 |
- XMLString::isHex(userinfo[index+2]) ) // 2nd hex
|
|
|
34e147 |
+ if (index + 2 < userLen
|
|
|
34e147 |
+ && XMLString::isHex(userinfo[index+1]) // 1st hex
|
|
|
34e147 |
+ && XMLString::isHex(userinfo[index+2]) ) // 2nd hex
|
|
|
34e147 |
index +=3;
|
|
|
34e147 |
else
|
|
|
34e147 |
return false;
|
|
|
34e147 |
@@ -1508,8 +1550,9 @@ bool XMLUri::isValidServerBasedAuthority
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (*tmpStr == chPercent) // '%'
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex
|
|
|
34e147 |
- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
+ if (XMLString::stringLen(tmpStr) >= 3
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr+1)) // 1st hex
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
{
|
|
|
34e147 |
tmpStr+=3;
|
|
|
34e147 |
}
|
|
|
34e147 |
@@ -1537,8 +1580,9 @@ bool XMLUri::isValidRegistryBasedAuthori
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (authority[index] == chPercent) // '%'
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (XMLString::isHex(authority[index+1]) && // 1st hex
|
|
|
34e147 |
- XMLString::isHex(authority[index+2]) ) // 2nd hex
|
|
|
34e147 |
+ if (index + 2 < authLen
|
|
|
34e147 |
+ && XMLString::isHex(authority[index+1]) // 1st hex
|
|
|
34e147 |
+ && XMLString::isHex(authority[index+2]) ) // 2nd hex
|
|
|
34e147 |
index +=3;
|
|
|
34e147 |
else
|
|
|
34e147 |
return false;
|
|
|
34e147 |
@@ -1566,8 +1610,9 @@ bool XMLUri::isValidRegistryBasedAuthori
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (*tmpStr == chPercent) // '%'
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex
|
|
|
34e147 |
- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
+ if (XMLString::stringLen(tmpStr) >= 3
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr + 1)) // 1st hex
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr + 2))) // 2nd hex
|
|
|
34e147 |
{
|
|
|
34e147 |
tmpStr+=3;
|
|
|
34e147 |
}
|
|
|
34e147 |
@@ -1602,8 +1647,9 @@ bool XMLUri::isURIString(const XMLCh* co
|
|
|
34e147 |
}
|
|
|
34e147 |
else if (*tmpStr == chPercent) // '%'
|
|
|
34e147 |
{
|
|
|
34e147 |
- if (XMLString::isHex(*(tmpStr+1)) && // 1st hex
|
|
|
34e147 |
- XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
+ if (XMLString::stringLen(tmpStr) >=3
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr+1)) // 1st hex
|
|
|
34e147 |
+ && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex
|
|
|
34e147 |
{
|
|
|
34e147 |
tmpStr+=3;
|
|
|
34e147 |
}
|
|
|
34e147 |
diff -urNp xerces-c-3.1.1-patched/src/xercesc/util/XMLURL.cpp xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLURL.cpp
|
|
|
34e147 |
--- xerces-c-3.1.1-patched/src/xercesc/util/XMLURL.cpp 2016-03-03 11:13:54.871619517 -0500
|
|
|
34e147 |
+++ xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLURL.cpp 2016-03-03 11:44:08.553089142 -0500
|
|
|
34e147 |
@@ -117,8 +117,8 @@ static const XMLCh gListSix[] = { chP
|
|
|
34e147 |
static bool isHexDigit(const XMLCh toCheck)
|
|
|
34e147 |
{
|
|
|
34e147 |
if (((toCheck >= chDigit_0) && (toCheck <= chDigit_9))
|
|
|
34e147 |
- || ((toCheck >= chLatin_A) && (toCheck <= chLatin_Z))
|
|
|
34e147 |
- || ((toCheck >= chLatin_a) && (toCheck <= chLatin_z)))
|
|
|
34e147 |
+ || ((toCheck >= chLatin_A) && (toCheck <= chLatin_F))
|
|
|
34e147 |
+ || ((toCheck >= chLatin_a) && (toCheck <= chLatin_f)))
|
|
|
34e147 |
{
|
|
|
34e147 |
return true;
|
|
|
34e147 |
}
|
|
|
34e147 |
@@ -130,7 +130,7 @@ static unsigned int xlatHexDigit(const X
|
|
|
34e147 |
if ((toXlat >= chDigit_0) && (toXlat <= chDigit_9))
|
|
|
34e147 |
return (unsigned int)(toXlat - chDigit_0);
|
|
|
34e147 |
|
|
|
34e147 |
- if ((toXlat >= chLatin_A) && (toXlat <= chLatin_Z))
|
|
|
34e147 |
+ if ((toXlat >= chLatin_A) && (toXlat <= chLatin_F))
|
|
|
34e147 |
return (unsigned int)(toXlat - chLatin_A) + 10;
|
|
|
34e147 |
|
|
|
34e147 |
return (unsigned int)(toXlat - chLatin_a) + 10;
|
|
|
34e147 |
@@ -611,9 +611,20 @@ BinInputStream* XMLURL::makeNewStream()
|
|
|
34e147 |
|
|
|
34e147 |
while (percentIndex != -1) {
|
|
|
34e147 |
|
|
|
34e147 |
- if (percentIndex+2 >= (int)end ||
|
|
|
34e147 |
- !isHexDigit(realPath[percentIndex+1]) ||
|
|
|
34e147 |
- !isHexDigit(realPath[percentIndex+2]))
|
|
|
34e147 |
+ // Isolate the length/boundary check so we don't try and copy off the end.
|
|
|
34e147 |
+ if (percentIndex+2 >= (int)end)
|
|
|
34e147 |
+ {
|
|
|
34e147 |
+ XMLCh value1[3];
|
|
|
34e147 |
+ value1[1] = chNull;
|
|
|
34e147 |
+ value1[2] = chNull;
|
|
|
34e147 |
+ XMLString::moveChars(value1, &(realPath[percentIndex]), (percentIndex + 1 >= (int)end ? 1 : 2));
|
|
|
34e147 |
+ ThrowXMLwithMemMgr2(MalformedURLException
|
|
|
34e147 |
+ , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence
|
|
|
34e147 |
+ , realPath
|
|
|
34e147 |
+ , value1
|
|
|
34e147 |
+ , fMemoryManager);
|
|
|
34e147 |
+ }
|
|
|
34e147 |
+ else if (!isHexDigit(realPath[percentIndex+1]) || !isHexDigit(realPath[percentIndex+2]))
|
|
|
34e147 |
{
|
|
|
34e147 |
XMLCh value1[4];
|
|
|
34e147 |
XMLString::moveChars(value1, &(realPath[percentIndex]), 3);
|