diff -urNp xerces-c-3.1.1-patched/src/xercesc/internal/XMLReader.cpp xerces-c-3.1.1-patched-modified/src/xercesc/internal/XMLReader.cpp --- xerces-c-3.1.1-patched/src/xercesc/internal/XMLReader.cpp 2016-03-03 11:14:06.855482706 -0500 +++ xerces-c-3.1.1-patched-modified/src/xercesc/internal/XMLReader.cpp 2016-03-03 11:46:23.305567446 -0500 @@ -1460,8 +1460,30 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { - // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume. + // Make sure there are at least sizeof(UCS4Ch) bytes to consume. if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); ThrowXMLwithMemMgr1 ( TranscodingException @@ -1547,6 +1569,23 @@ void XMLReader::doInitDecode() const char curCh = *asChars++; fRawBufIndex++; + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + // Looks ok, so store it fCharSizeBuf[fCharsAvail] = 1; fCharBuf[fCharsAvail++] = XMLCh(curCh); @@ -1630,8 +1669,30 @@ void XMLReader::doInitDecode() while (fRawBufIndex < fRawBytesAvail) { - // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume. + // Make sure there are at least sizeof(UTF16Ch) bytes to consume. if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); ThrowXMLwithMemMgr1 ( TranscodingException @@ -1676,6 +1737,24 @@ void XMLReader::doInitDecode() const XMLCh chCur = XMLEBCDICTranscoder::xlatThisOne(*srcPtr++); fRawBufIndex++; + // Make sure we don't exhaust the limited prolog buffer size. + // Leave room for a space added at the end of this function. + if (fCharsAvail == kCharBufSize - 1) { + fCharsAvail = 0; + fRawBufIndex = 0; + fMemoryManager->deallocate(fPublicId); + fMemoryManager->deallocate(fEncodingStr); + ArrayJanitor janValue(fSystemId, fMemoryManager); + ThrowXMLwithMemMgr1 + ( + TranscodingException + , XMLExcepts::Reader_CouldNotDecodeFirstLine + , fSystemId + , fMemoryManager + ); + } + + // // And put it into the character buffer. This stuff has to // look like it was normally transcoded. @@ -1730,7 +1809,7 @@ void XMLReader::doInitDecode() // void XMLReader::refreshRawBuffer() { - // Security fix: make sure we don't underflow on the subtraction. + // Make sure we don't underflow on the subtraction. if (fRawBufIndex > fRawBytesAvail) { ThrowXMLwithMemMgr1 ( diff -urNp xerces-c-3.1.1-patched/src/xercesc/util/XMLUri.cpp xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLUri.cpp --- xerces-c-3.1.1-patched/src/xercesc/util/XMLUri.cpp 2016-03-03 11:13:54.871619517 -0500 +++ xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLUri.cpp 2016-03-03 11:30:38.593240739 -0500 @@ -875,11 +875,21 @@ void XMLUri::initializePath(const XMLCh* // check for valid escape sequence if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_PATH + , value1 + , fMemoryManager); + } + else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) + { + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -892,7 +902,7 @@ void XMLUri::initializePath(const XMLCh* else if (!isUnreservedCharacter(testChar) && !isPathCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -920,11 +930,21 @@ void XMLUri::initializePath(const XMLCh* // check for valid escape sequence if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_PATH + , value1 + , fMemoryManager); + } + else if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) + { + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -941,7 +961,7 @@ void XMLUri::initializePath(const XMLCh* // contains '[' and ']'. else if (!isReservedOrUnreservedCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -979,11 +999,21 @@ void XMLUri::initializePath(const XMLCh* if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) + { + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_QUERY + , value1 + , fMemoryManager); + } + if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -995,7 +1025,7 @@ void XMLUri::initializePath(const XMLCh* } else if (!isReservedOrUnreservedCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -1030,11 +1060,21 @@ void XMLUri::initializePath(const XMLCh* if (testChar == chPercent) { - if (index+2 >= end || - !XMLString::isHex(uriSpec[index+1]) || - !XMLString::isHex(uriSpec[index+2])) + if (index + 2 >= end) + { + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(uriSpec[index]), (index + 1 >= end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , errMsg_FRAGMENT + , value1 + , fMemoryManager); + } + if (!XMLString::isHex(uriSpec[index+1]) || !XMLString::isHex(uriSpec[index+2])) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[4]; XMLString::moveChars(value1, &(uriSpec[index]), 3); value1[3] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -1046,7 +1086,7 @@ void XMLUri::initializePath(const XMLCh* } else if (!isReservedOrUnreservedCharacter(testChar)) { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[2]; value1[0] = testChar; value1[1] = chNull; ThrowXMLwithMemMgr2(MalformedURLException @@ -1410,14 +1450,15 @@ void XMLUri::isConformantUserInfo(const } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >= 3 + && XMLString::isHex(*(tmpStr+1)) // 1st hex + && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex { tmpStr+=3; } else { - XMLCh value1[BUF_LEN+1]; + XMLCh value1[4]; value1[0] = chPercent; value1[1] = *(tmpStr+1); value1[2] = *(tmpStr+2); @@ -1468,8 +1509,9 @@ bool XMLUri::isValidServerBasedAuthority } else if (userinfo[index] == chPercent) // '%' { - if (XMLString::isHex(userinfo[index+1]) && // 1st hex - XMLString::isHex(userinfo[index+2]) ) // 2nd hex + if (index + 2 < userLen + && XMLString::isHex(userinfo[index+1]) // 1st hex + && XMLString::isHex(userinfo[index+2]) ) // 2nd hex index +=3; else return false; @@ -1508,8 +1550,9 @@ bool XMLUri::isValidServerBasedAuthority } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >= 3 + && XMLString::isHex(*(tmpStr+1)) // 1st hex + && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex { tmpStr+=3; } @@ -1537,8 +1580,9 @@ bool XMLUri::isValidRegistryBasedAuthori } else if (authority[index] == chPercent) // '%' { - if (XMLString::isHex(authority[index+1]) && // 1st hex - XMLString::isHex(authority[index+2]) ) // 2nd hex + if (index + 2 < authLen + && XMLString::isHex(authority[index+1]) // 1st hex + && XMLString::isHex(authority[index+2]) ) // 2nd hex index +=3; else return false; @@ -1566,8 +1610,9 @@ bool XMLUri::isValidRegistryBasedAuthori } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >= 3 + && XMLString::isHex(*(tmpStr + 1)) // 1st hex + && XMLString::isHex(*(tmpStr + 2))) // 2nd hex { tmpStr+=3; } @@ -1602,8 +1647,9 @@ bool XMLUri::isURIString(const XMLCh* co } else if (*tmpStr == chPercent) // '%' { - if (XMLString::isHex(*(tmpStr+1)) && // 1st hex - XMLString::isHex(*(tmpStr+2)) ) // 2nd hex + if (XMLString::stringLen(tmpStr) >=3 + && XMLString::isHex(*(tmpStr+1)) // 1st hex + && XMLString::isHex(*(tmpStr+2)) ) // 2nd hex { tmpStr+=3; } diff -urNp xerces-c-3.1.1-patched/src/xercesc/util/XMLURL.cpp xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLURL.cpp --- xerces-c-3.1.1-patched/src/xercesc/util/XMLURL.cpp 2016-03-03 11:13:54.871619517 -0500 +++ xerces-c-3.1.1-patched-modified/src/xercesc/util/XMLURL.cpp 2016-03-03 11:44:08.553089142 -0500 @@ -117,8 +117,8 @@ static const XMLCh gListSix[] = { chP static bool isHexDigit(const XMLCh toCheck) { if (((toCheck >= chDigit_0) && (toCheck <= chDigit_9)) - || ((toCheck >= chLatin_A) && (toCheck <= chLatin_Z)) - || ((toCheck >= chLatin_a) && (toCheck <= chLatin_z))) + || ((toCheck >= chLatin_A) && (toCheck <= chLatin_F)) + || ((toCheck >= chLatin_a) && (toCheck <= chLatin_f))) { return true; } @@ -130,7 +130,7 @@ static unsigned int xlatHexDigit(const X if ((toXlat >= chDigit_0) && (toXlat <= chDigit_9)) return (unsigned int)(toXlat - chDigit_0); - if ((toXlat >= chLatin_A) && (toXlat <= chLatin_Z)) + if ((toXlat >= chLatin_A) && (toXlat <= chLatin_F)) return (unsigned int)(toXlat - chLatin_A) + 10; return (unsigned int)(toXlat - chLatin_a) + 10; @@ -611,9 +611,20 @@ BinInputStream* XMLURL::makeNewStream() while (percentIndex != -1) { - if (percentIndex+2 >= (int)end || - !isHexDigit(realPath[percentIndex+1]) || - !isHexDigit(realPath[percentIndex+2])) + // Isolate the length/boundary check so we don't try and copy off the end. + if (percentIndex+2 >= (int)end) + { + XMLCh value1[3]; + value1[1] = chNull; + value1[2] = chNull; + XMLString::moveChars(value1, &(realPath[percentIndex]), (percentIndex + 1 >= (int)end ? 1 : 2)); + ThrowXMLwithMemMgr2(MalformedURLException + , XMLExcepts::XMLNUM_URI_Component_Invalid_EscapeSequence + , realPath + , value1 + , fMemoryManager); + } + else if (!isHexDigit(realPath[percentIndex+1]) || !isHexDigit(realPath[percentIndex+2])) { XMLCh value1[4]; XMLString::moveChars(value1, &(realPath[percentIndex]), 3);