diff -urNp xerces-c-3.1.1/src/xercesc/internal/XMLReader.cpp xerces-c-3.1.1-patch/src/xercesc/internal/XMLReader.cpp
--- xerces-c-3.1.1/src/xercesc/internal/XMLReader.cpp 2010-01-20 12:06:14.000000000 -0500
+++ xerces-c-3.1.1-patch/src/xercesc/internal/XMLReader.cpp 2015-06-22 12:20:22.131498873 -0400
@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
while (fRawBufIndex < fRawBytesAvail)
{
+ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
+ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ TranscodingException
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
// Get out the current 4 byte value and inc our raw buf index
UCS4Ch curVal = *asUCS++;
fRawBufIndex += sizeof(UCS4Ch);
@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
while (fRawBufIndex < fRawBytesAvail)
{
+ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
+ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ TranscodingException
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
// Get out the current 2 byte value
UTF16Ch curVal = *asUTF16++;
fRawBufIndex += sizeof(UTF16Ch);
@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
//
void XMLReader::refreshRawBuffer()
{
+ // Security fix: make sure we don't underflow on the subtraction.
+ if (fRawBufIndex > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ RuntimeException
+ , XMLExcepts::Str_StartIndexPastEnd
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
//
// If there are any bytes left, move them down to the start. There
// should only ever be (max bytes per char - 1) at the most.