diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2016-06-17 11:20:58 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-06-23 14:26:14 +0100 |
commit | a02911390cc09d9f2ac15142982142c459a143d5 (patch) | |
tree | cddb42ea5a7d0481fa136f4926b80ebeab4c8fbe /meta | |
parent | c0238cb902054296025446ed41a98bf4ed89dd04 (diff) | |
download | poky-a02911390cc09d9f2ac15142982142c459a143d5.tar.gz |
expat: CVE-2016-0718
Fix CVE-2016-0718: expat XML parser crashes on malformed input
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718
https://bugzilla.redhat.com/show_bug.cgi?id=1296102
https://bugzilla.suse.com/show_bug.cgi?id=979441
Patch from:
https://bugzilla.redhat.com/show_bug.cgi?id=1296102
(From OE-Core rev: 6589de727ba9c9901fdd53d31bd88ad0f17f3905)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/expat/expat.inc | 1 | ||||
-rw-r--r-- | meta/recipes-core/expat/expat/CVE-2016-0718.patch | 760 |
2 files changed, 761 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc index fe9d7e74f0..3d8429c513 100644 --- a/meta/recipes-core/expat/expat.inc +++ b/meta/recipes-core/expat/expat.inc | |||
@@ -6,6 +6,7 @@ LICENSE = "MIT" | |||
6 | 6 | ||
7 | SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \ | 7 | SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \ |
8 | file://autotools.patch \ | 8 | file://autotools.patch \ |
9 | file://CVE-2016-0718.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | inherit autotools lib_package gzipnative | 12 | inherit autotools lib_package gzipnative |
diff --git a/meta/recipes-core/expat/expat/CVE-2016-0718.patch b/meta/recipes-core/expat/expat/CVE-2016-0718.patch new file mode 100644 index 0000000000..3fff5e9b0e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2016-0718.patch | |||
@@ -0,0 +1,760 @@ | |||
1 | From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sebastian Pipping <sebastian@pipping.org> | ||
3 | Date: Mon, 2 May 2016 00:02:44 +0200 | ||
4 | Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1) | ||
5 | |||
6 | * Out of bounds memory access when doing text conversion on malformed input | ||
7 | * Integer overflow related to memory allocation | ||
8 | |||
9 | Reported by Gustavo Grieco | ||
10 | |||
11 | Patch credits go to | ||
12 | * Christian Heimes | ||
13 | * Karl Waclawek | ||
14 | * Gustavo Grieco | ||
15 | * Sebastian Pipping | ||
16 | * Pascal Cuoq | ||
17 | |||
18 | CVE: CVE-2016-0718 | ||
19 | Upstream-Status: Backport | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> | ||
22 | --- | ||
23 | expat/lib/xmlparse.c | 34 +++++++++----- | ||
24 | expat/lib/xmltok.c | 115 +++++++++++++++++++++++++++++++++++------------- | ||
25 | expat/lib/xmltok.h | 10 ++++- | ||
26 | expat/lib/xmltok_impl.c | 62 +++++++++++++------------- | ||
27 | 4 files changed, 146 insertions(+), 75 deletions(-) | ||
28 | |||
29 | diff --git a/lib/xmlparse.c b/lib/xmlparse.c | ||
30 | index e308c79..13e080d 100644 | ||
31 | --- a/lib/xmlparse.c | ||
32 | +++ b/lib/xmlparse.c | ||
33 | @@ -2426,11 +2426,11 @@ doContent(XML_Parser parser, | ||
34 | for (;;) { | ||
35 | int bufSize; | ||
36 | int convLen; | ||
37 | - XmlConvert(enc, | ||
38 | + const enum XML_Convert_Result convert_res = XmlConvert(enc, | ||
39 | &fromPtr, rawNameEnd, | ||
40 | (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1); | ||
41 | convLen = (int)(toPtr - (XML_Char *)tag->buf); | ||
42 | - if (fromPtr == rawNameEnd) { | ||
43 | + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) { | ||
44 | tag->name.strLen = convLen; | ||
45 | break; | ||
46 | } | ||
47 | @@ -2651,11 +2651,11 @@ doContent(XML_Parser parser, | ||
48 | if (MUST_CONVERT(enc, s)) { | ||
49 | for (;;) { | ||
50 | ICHAR *dataPtr = (ICHAR *)dataBuf; | ||
51 | - XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); | ||
52 | + const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); | ||
53 | *eventEndPP = s; | ||
54 | charDataHandler(handlerArg, dataBuf, | ||
55 | (int)(dataPtr - (ICHAR *)dataBuf)); | ||
56 | - if (s == next) | ||
57 | + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) | ||
58 | break; | ||
59 | *eventPP = s; | ||
60 | } | ||
61 | @@ -3261,11 +3261,11 @@ doCdataSection(XML_Parser parser, | ||
62 | if (MUST_CONVERT(enc, s)) { | ||
63 | for (;;) { | ||
64 | ICHAR *dataPtr = (ICHAR *)dataBuf; | ||
65 | - XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); | ||
66 | + const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd); | ||
67 | *eventEndPP = next; | ||
68 | charDataHandler(handlerArg, dataBuf, | ||
69 | (int)(dataPtr - (ICHAR *)dataBuf)); | ||
70 | - if (s == next) | ||
71 | + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) | ||
72 | break; | ||
73 | *eventPP = s; | ||
74 | } | ||
75 | @@ -5342,6 +5342,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc, | ||
76 | const char *s, const char *end) | ||
77 | { | ||
78 | if (MUST_CONVERT(enc, s)) { | ||
79 | + enum XML_Convert_Result convert_res; | ||
80 | const char **eventPP; | ||
81 | const char **eventEndPP; | ||
82 | if (enc == encoding) { | ||
83 | @@ -5354,11 +5355,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc, | ||
84 | } | ||
85 | do { | ||
86 | ICHAR *dataPtr = (ICHAR *)dataBuf; | ||
87 | - XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); | ||
88 | + convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd); | ||
89 | *eventEndPP = s; | ||
90 | defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf)); | ||
91 | *eventPP = s; | ||
92 | - } while (s != end); | ||
93 | + } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE)); | ||
94 | } | ||
95 | else | ||
96 | defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s)); | ||
97 | @@ -6163,8 +6164,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc, | ||
98 | if (!pool->ptr && !poolGrow(pool)) | ||
99 | return NULL; | ||
100 | for (;;) { | ||
101 | - XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); | ||
102 | - if (ptr == end) | ||
103 | + const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end); | ||
104 | + if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) | ||
105 | break; | ||
106 | if (!poolGrow(pool)) | ||
107 | return NULL; | ||
108 | @@ -6248,8 +6249,13 @@ poolGrow(STRING_POOL *pool) | ||
109 | } | ||
110 | } | ||
111 | if (pool->blocks && pool->start == pool->blocks->s) { | ||
112 | - int blockSize = (int)(pool->end - pool->start)*2; | ||
113 | - BLOCK *temp = (BLOCK *) | ||
114 | + BLOCK *temp; | ||
115 | + int blockSize = (int)((unsigned)(pool->end - pool->start)*2U); | ||
116 | + | ||
117 | + if (blockSize < 0) | ||
118 | + return XML_FALSE; | ||
119 | + | ||
120 | + temp = (BLOCK *) | ||
121 | pool->mem->realloc_fcn(pool->blocks, | ||
122 | (offsetof(BLOCK, s) | ||
123 | + blockSize * sizeof(XML_Char))); | ||
124 | @@ -6264,6 +6270,10 @@ poolGrow(STRING_POOL *pool) | ||
125 | else { | ||
126 | BLOCK *tem; | ||
127 | int blockSize = (int)(pool->end - pool->start); | ||
128 | + | ||
129 | + if (blockSize < 0) | ||
130 | + return XML_FALSE; | ||
131 | + | ||
132 | if (blockSize < INIT_BLOCK_SIZE) | ||
133 | blockSize = INIT_BLOCK_SIZE; | ||
134 | else | ||
135 | diff --git a/lib/xmltok.c b/lib/xmltok.c | ||
136 | index bf09dfc..cb98ce1 100644 | ||
137 | --- a/lib/xmltok.c | ||
138 | +++ b/lib/xmltok.c | ||
139 | @@ -318,39 +318,55 @@ enum { /* UTF8_cvalN is value of masked first byte of N byte sequence */ | ||
140 | UTF8_cval4 = 0xf0 | ||
141 | }; | ||
142 | |||
143 | -static void PTRCALL | ||
144 | +static enum XML_Convert_Result PTRCALL | ||
145 | utf8_toUtf8(const ENCODING *enc, | ||
146 | const char **fromP, const char *fromLim, | ||
147 | char **toP, const char *toLim) | ||
148 | { | ||
149 | + enum XML_Convert_Result res = XML_CONVERT_COMPLETED; | ||
150 | char *to; | ||
151 | const char *from; | ||
152 | if (fromLim - *fromP > toLim - *toP) { | ||
153 | /* Avoid copying partial characters. */ | ||
154 | + res = XML_CONVERT_OUTPUT_EXHAUSTED; | ||
155 | for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--) | ||
156 | if (((unsigned char)fromLim[-1] & 0xc0) != 0x80) | ||
157 | break; | ||
158 | } | ||
159 | - for (to = *toP, from = *fromP; from != fromLim; from++, to++) | ||
160 | + for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++) | ||
161 | *to = *from; | ||
162 | *fromP = from; | ||
163 | *toP = to; | ||
164 | + | ||
165 | + if ((to == toLim) && (from < fromLim)) | ||
166 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
167 | + else | ||
168 | + return res; | ||
169 | } | ||
170 | |||
171 | -static void PTRCALL | ||
172 | +static enum XML_Convert_Result PTRCALL | ||
173 | utf8_toUtf16(const ENCODING *enc, | ||
174 | const char **fromP, const char *fromLim, | ||
175 | unsigned short **toP, const unsigned short *toLim) | ||
176 | { | ||
177 | + enum XML_Convert_Result res = XML_CONVERT_COMPLETED; | ||
178 | unsigned short *to = *toP; | ||
179 | const char *from = *fromP; | ||
180 | - while (from != fromLim && to != toLim) { | ||
181 | + while (from < fromLim && to < toLim) { | ||
182 | switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) { | ||
183 | case BT_LEAD2: | ||
184 | + if (fromLim - from < 2) { | ||
185 | + res = XML_CONVERT_INPUT_INCOMPLETE; | ||
186 | + break; | ||
187 | + } | ||
188 | *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f)); | ||
189 | from += 2; | ||
190 | break; | ||
191 | case BT_LEAD3: | ||
192 | + if (fromLim - from < 3) { | ||
193 | + res = XML_CONVERT_INPUT_INCOMPLETE; | ||
194 | + break; | ||
195 | + } | ||
196 | *to++ = (unsigned short)(((from[0] & 0xf) << 12) | ||
197 | | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f)); | ||
198 | from += 3; | ||
199 | @@ -358,8 +374,14 @@ utf8_toUtf16(const ENCODING *enc, | ||
200 | case BT_LEAD4: | ||
201 | { | ||
202 | unsigned long n; | ||
203 | - if (to + 1 == toLim) | ||
204 | + if (toLim - to < 2) { | ||
205 | + res = XML_CONVERT_OUTPUT_EXHAUSTED; | ||
206 | goto after; | ||
207 | + } | ||
208 | + if (fromLim - from < 4) { | ||
209 | + res = XML_CONVERT_INPUT_INCOMPLETE; | ||
210 | + goto after; | ||
211 | + } | ||
212 | n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12) | ||
213 | | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f); | ||
214 | n -= 0x10000; | ||
215 | @@ -377,6 +399,7 @@ utf8_toUtf16(const ENCODING *enc, | ||
216 | after: | ||
217 | *fromP = from; | ||
218 | *toP = to; | ||
219 | + return res; | ||
220 | } | ||
221 | |||
222 | #ifdef XML_NS | ||
223 | @@ -425,7 +448,7 @@ static const struct normal_encoding internal_utf8_encoding = { | ||
224 | STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_) | ||
225 | }; | ||
226 | |||
227 | -static void PTRCALL | ||
228 | +static enum XML_Convert_Result PTRCALL | ||
229 | latin1_toUtf8(const ENCODING *enc, | ||
230 | const char **fromP, const char *fromLim, | ||
231 | char **toP, const char *toLim) | ||
232 | @@ -433,30 +456,35 @@ latin1_toUtf8(const ENCODING *enc, | ||
233 | for (;;) { | ||
234 | unsigned char c; | ||
235 | if (*fromP == fromLim) | ||
236 | - break; | ||
237 | + return XML_CONVERT_COMPLETED; | ||
238 | c = (unsigned char)**fromP; | ||
239 | if (c & 0x80) { | ||
240 | if (toLim - *toP < 2) | ||
241 | - break; | ||
242 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
243 | *(*toP)++ = (char)((c >> 6) | UTF8_cval2); | ||
244 | *(*toP)++ = (char)((c & 0x3f) | 0x80); | ||
245 | (*fromP)++; | ||
246 | } | ||
247 | else { | ||
248 | if (*toP == toLim) | ||
249 | - break; | ||
250 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
251 | *(*toP)++ = *(*fromP)++; | ||
252 | } | ||
253 | } | ||
254 | } | ||
255 | |||
256 | -static void PTRCALL | ||
257 | +static enum XML_Convert_Result PTRCALL | ||
258 | latin1_toUtf16(const ENCODING *enc, | ||
259 | const char **fromP, const char *fromLim, | ||
260 | unsigned short **toP, const unsigned short *toLim) | ||
261 | { | ||
262 | - while (*fromP != fromLim && *toP != toLim) | ||
263 | + while (*fromP < fromLim && *toP < toLim) | ||
264 | *(*toP)++ = (unsigned char)*(*fromP)++; | ||
265 | + | ||
266 | + if ((*toP == toLim) && (*fromP < fromLim)) | ||
267 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
268 | + else | ||
269 | + return XML_CONVERT_COMPLETED; | ||
270 | } | ||
271 | |||
272 | #ifdef XML_NS | ||
273 | @@ -483,13 +511,18 @@ static const struct normal_encoding latin1_encoding = { | ||
274 | STANDARD_VTABLE(sb_) | ||
275 | }; | ||
276 | |||
277 | -static void PTRCALL | ||
278 | +static enum XML_Convert_Result PTRCALL | ||
279 | ascii_toUtf8(const ENCODING *enc, | ||
280 | const char **fromP, const char *fromLim, | ||
281 | char **toP, const char *toLim) | ||
282 | { | ||
283 | - while (*fromP != fromLim && *toP != toLim) | ||
284 | + while (*fromP < fromLim && *toP < toLim) | ||
285 | *(*toP)++ = *(*fromP)++; | ||
286 | + | ||
287 | + if ((*toP == toLim) && (*fromP < fromLim)) | ||
288 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
289 | + else | ||
290 | + return XML_CONVERT_COMPLETED; | ||
291 | } | ||
292 | |||
293 | #ifdef XML_NS | ||
294 | @@ -536,13 +569,14 @@ unicode_byte_type(char hi, char lo) | ||
295 | } | ||
296 | |||
297 | #define DEFINE_UTF16_TO_UTF8(E) \ | ||
298 | -static void PTRCALL \ | ||
299 | +static enum XML_Convert_Result PTRCALL \ | ||
300 | E ## toUtf8(const ENCODING *enc, \ | ||
301 | const char **fromP, const char *fromLim, \ | ||
302 | char **toP, const char *toLim) \ | ||
303 | { \ | ||
304 | - const char *from; \ | ||
305 | - for (from = *fromP; from != fromLim; from += 2) { \ | ||
306 | + const char *from = *fromP; \ | ||
307 | + fromLim = from + (((fromLim - from) >> 1) << 1); /* shrink to even */ \ | ||
308 | + for (; from < fromLim; from += 2) { \ | ||
309 | int plane; \ | ||
310 | unsigned char lo2; \ | ||
311 | unsigned char lo = GET_LO(from); \ | ||
312 | @@ -552,7 +586,7 @@ E ## toUtf8(const ENCODING *enc, \ | ||
313 | if (lo < 0x80) { \ | ||
314 | if (*toP == toLim) { \ | ||
315 | *fromP = from; \ | ||
316 | - return; \ | ||
317 | + return XML_CONVERT_OUTPUT_EXHAUSTED; \ | ||
318 | } \ | ||
319 | *(*toP)++ = lo; \ | ||
320 | break; \ | ||
321 | @@ -562,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \ | ||
322 | case 0x4: case 0x5: case 0x6: case 0x7: \ | ||
323 | if (toLim - *toP < 2) { \ | ||
324 | *fromP = from; \ | ||
325 | - return; \ | ||
326 | + return XML_CONVERT_OUTPUT_EXHAUSTED; \ | ||
327 | } \ | ||
328 | *(*toP)++ = ((lo >> 6) | (hi << 2) | UTF8_cval2); \ | ||
329 | *(*toP)++ = ((lo & 0x3f) | 0x80); \ | ||
330 | @@ -570,7 +604,7 @@ E ## toUtf8(const ENCODING *enc, \ | ||
331 | default: \ | ||
332 | if (toLim - *toP < 3) { \ | ||
333 | *fromP = from; \ | ||
334 | - return; \ | ||
335 | + return XML_CONVERT_OUTPUT_EXHAUSTED; \ | ||
336 | } \ | ||
337 | /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \ | ||
338 | *(*toP)++ = ((hi >> 4) | UTF8_cval3); \ | ||
339 | @@ -580,7 +614,11 @@ E ## toUtf8(const ENCODING *enc, \ | ||
340 | case 0xD8: case 0xD9: case 0xDA: case 0xDB: \ | ||
341 | if (toLim - *toP < 4) { \ | ||
342 | *fromP = from; \ | ||
343 | - return; \ | ||
344 | + return XML_CONVERT_OUTPUT_EXHAUSTED; \ | ||
345 | + } \ | ||
346 | + if (fromLim - from < 4) { \ | ||
347 | + *fromP = from; \ | ||
348 | + return XML_CONVERT_INPUT_INCOMPLETE; \ | ||
349 | } \ | ||
350 | plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \ | ||
351 | *(*toP)++ = ((plane >> 2) | UTF8_cval4); \ | ||
352 | @@ -596,20 +634,32 @@ E ## toUtf8(const ENCODING *enc, \ | ||
353 | } \ | ||
354 | } \ | ||
355 | *fromP = from; \ | ||
356 | + if (from < fromLim) \ | ||
357 | + return XML_CONVERT_INPUT_INCOMPLETE; \ | ||
358 | + else \ | ||
359 | + return XML_CONVERT_COMPLETED; \ | ||
360 | } | ||
361 | |||
362 | #define DEFINE_UTF16_TO_UTF16(E) \ | ||
363 | -static void PTRCALL \ | ||
364 | +static enum XML_Convert_Result PTRCALL \ | ||
365 | E ## toUtf16(const ENCODING *enc, \ | ||
366 | const char **fromP, const char *fromLim, \ | ||
367 | unsigned short **toP, const unsigned short *toLim) \ | ||
368 | { \ | ||
369 | + enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \ | ||
370 | + fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1); /* shrink to even */ \ | ||
371 | /* Avoid copying first half only of surrogate */ \ | ||
372 | if (fromLim - *fromP > ((toLim - *toP) << 1) \ | ||
373 | - && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \ | ||
374 | + && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \ | ||
375 | fromLim -= 2; \ | ||
376 | - for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \ | ||
377 | + res = XML_CONVERT_INPUT_INCOMPLETE; \ | ||
378 | + } \ | ||
379 | + for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \ | ||
380 | *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \ | ||
381 | + if ((*toP == toLim) && (*fromP < fromLim)) \ | ||
382 | + return XML_CONVERT_OUTPUT_EXHAUSTED; \ | ||
383 | + else \ | ||
384 | + return res; \ | ||
385 | } | ||
386 | |||
387 | #define SET2(ptr, ch) \ | ||
388 | @@ -1288,7 +1338,7 @@ unknown_isInvalid(const ENCODING *enc, const char *p) | ||
389 | return (c & ~0xFFFF) || checkCharRefNumber(c) < 0; | ||
390 | } | ||
391 | |||
392 | -static void PTRCALL | ||
393 | +static enum XML_Convert_Result PTRCALL | ||
394 | unknown_toUtf8(const ENCODING *enc, | ||
395 | const char **fromP, const char *fromLim, | ||
396 | char **toP, const char *toLim) | ||
397 | @@ -1299,21 +1349,21 @@ unknown_toUtf8(const ENCODING *enc, | ||
398 | const char *utf8; | ||
399 | int n; | ||
400 | if (*fromP == fromLim) | ||
401 | - break; | ||
402 | + return XML_CONVERT_COMPLETED; | ||
403 | utf8 = uenc->utf8[(unsigned char)**fromP]; | ||
404 | n = *utf8++; | ||
405 | if (n == 0) { | ||
406 | int c = uenc->convert(uenc->userData, *fromP); | ||
407 | n = XmlUtf8Encode(c, buf); | ||
408 | if (n > toLim - *toP) | ||
409 | - break; | ||
410 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
411 | utf8 = buf; | ||
412 | *fromP += (AS_NORMAL_ENCODING(enc)->type[(unsigned char)**fromP] | ||
413 | - (BT_LEAD2 - 2)); | ||
414 | } | ||
415 | else { | ||
416 | if (n > toLim - *toP) | ||
417 | - break; | ||
418 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
419 | (*fromP)++; | ||
420 | } | ||
421 | do { | ||
422 | @@ -1322,13 +1372,13 @@ unknown_toUtf8(const ENCODING *enc, | ||
423 | } | ||
424 | } | ||
425 | |||
426 | -static void PTRCALL | ||
427 | +static enum XML_Convert_Result PTRCALL | ||
428 | unknown_toUtf16(const ENCODING *enc, | ||
429 | const char **fromP, const char *fromLim, | ||
430 | unsigned short **toP, const unsigned short *toLim) | ||
431 | { | ||
432 | const struct unknown_encoding *uenc = AS_UNKNOWN_ENCODING(enc); | ||
433 | - while (*fromP != fromLim && *toP != toLim) { | ||
434 | + while (*fromP < fromLim && *toP < toLim) { | ||
435 | unsigned short c = uenc->utf16[(unsigned char)**fromP]; | ||
436 | if (c == 0) { | ||
437 | c = (unsigned short) | ||
438 | @@ -1340,6 +1390,11 @@ unknown_toUtf16(const ENCODING *enc, | ||
439 | (*fromP)++; | ||
440 | *(*toP)++ = c; | ||
441 | } | ||
442 | + | ||
443 | + if ((*toP == toLim) && (*fromP < fromLim)) | ||
444 | + return XML_CONVERT_OUTPUT_EXHAUSTED; | ||
445 | + else | ||
446 | + return XML_CONVERT_COMPLETED; | ||
447 | } | ||
448 | |||
449 | ENCODING * | ||
450 | @@ -1503,7 +1558,7 @@ initScan(const ENCODING * const *encodingTable, | ||
451 | { | ||
452 | const ENCODING **encPtr; | ||
453 | |||
454 | - if (ptr == end) | ||
455 | + if (ptr >= end) | ||
456 | return XML_TOK_NONE; | ||
457 | encPtr = enc->encPtr; | ||
458 | if (ptr + 1 == end) { | ||
459 | diff --git a/lib/xmltok.h b/lib/xmltok.h | ||
460 | index ca867aa..752007e 100644 | ||
461 | --- a/lib/xmltok.h | ||
462 | +++ b/lib/xmltok.h | ||
463 | @@ -130,6 +130,12 @@ typedef int (PTRCALL *SCANNER)(const ENCODING *, | ||
464 | const char *, | ||
465 | const char **); | ||
466 | |||
467 | +enum XML_Convert_Result { | ||
468 | + XML_CONVERT_COMPLETED = 0, | ||
469 | + XML_CONVERT_INPUT_INCOMPLETE = 1, | ||
470 | + XML_CONVERT_OUTPUT_EXHAUSTED = 2 /* and therefore potentially input remaining as well */ | ||
471 | +}; | ||
472 | + | ||
473 | struct encoding { | ||
474 | SCANNER scanners[XML_N_STATES]; | ||
475 | SCANNER literalScanners[XML_N_LITERAL_TYPES]; | ||
476 | @@ -158,12 +164,12 @@ struct encoding { | ||
477 | const char *ptr, | ||
478 | const char *end, | ||
479 | const char **badPtr); | ||
480 | - void (PTRCALL *utf8Convert)(const ENCODING *enc, | ||
481 | + enum XML_Convert_Result (PTRCALL *utf8Convert)(const ENCODING *enc, | ||
482 | const char **fromP, | ||
483 | const char *fromLim, | ||
484 | char **toP, | ||
485 | const char *toLim); | ||
486 | - void (PTRCALL *utf16Convert)(const ENCODING *enc, | ||
487 | + enum XML_Convert_Result (PTRCALL *utf16Convert)(const ENCODING *enc, | ||
488 | const char **fromP, | ||
489 | const char *fromLim, | ||
490 | unsigned short **toP, | ||
491 | diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c | ||
492 | index 9c2895b..6c5a3ba 100644 | ||
493 | --- a/lib/xmltok_impl.c | ||
494 | +++ b/lib/xmltok_impl.c | ||
495 | @@ -93,13 +93,13 @@ static int PTRCALL | ||
496 | PREFIX(scanComment)(const ENCODING *enc, const char *ptr, | ||
497 | const char *end, const char **nextTokPtr) | ||
498 | { | ||
499 | - if (ptr != end) { | ||
500 | + if (ptr < end) { | ||
501 | if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) { | ||
502 | *nextTokPtr = ptr; | ||
503 | return XML_TOK_INVALID; | ||
504 | } | ||
505 | ptr += MINBPC(enc); | ||
506 | - while (ptr != end) { | ||
507 | + while (ptr < end) { | ||
508 | switch (BYTE_TYPE(enc, ptr)) { | ||
509 | INVALID_CASES(ptr, nextTokPtr) | ||
510 | case BT_MINUS: | ||
511 | @@ -147,7 +147,7 @@ PREFIX(scanDecl)(const ENCODING *enc, const char *ptr, | ||
512 | *nextTokPtr = ptr; | ||
513 | return XML_TOK_INVALID; | ||
514 | } | ||
515 | - while (ptr != end) { | ||
516 | + while (ptr < end) { | ||
517 | switch (BYTE_TYPE(enc, ptr)) { | ||
518 | case BT_PERCNT: | ||
519 | if (ptr + MINBPC(enc) == end) | ||
520 | @@ -233,7 +233,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr, | ||
521 | *nextTokPtr = ptr; | ||
522 | return XML_TOK_INVALID; | ||
523 | } | ||
524 | - while (ptr != end) { | ||
525 | + while (ptr < end) { | ||
526 | switch (BYTE_TYPE(enc, ptr)) { | ||
527 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
528 | case BT_S: case BT_CR: case BT_LF: | ||
529 | @@ -242,7 +242,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr, | ||
530 | return XML_TOK_INVALID; | ||
531 | } | ||
532 | ptr += MINBPC(enc); | ||
533 | - while (ptr != end) { | ||
534 | + while (ptr < end) { | ||
535 | switch (BYTE_TYPE(enc, ptr)) { | ||
536 | INVALID_CASES(ptr, nextTokPtr) | ||
537 | case BT_QUEST: | ||
538 | @@ -305,7 +305,7 @@ static int PTRCALL | ||
539 | PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr, | ||
540 | const char *end, const char **nextTokPtr) | ||
541 | { | ||
542 | - if (ptr == end) | ||
543 | + if (ptr >= end) | ||
544 | return XML_TOK_NONE; | ||
545 | if (MINBPC(enc) > 1) { | ||
546 | size_t n = end - ptr; | ||
547 | @@ -348,7 +348,7 @@ PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr, | ||
548 | ptr += MINBPC(enc); | ||
549 | break; | ||
550 | } | ||
551 | - while (ptr != end) { | ||
552 | + while (ptr < end) { | ||
553 | switch (BYTE_TYPE(enc, ptr)) { | ||
554 | #define LEAD_CASE(n) \ | ||
555 | case BT_LEAD ## n: \ | ||
556 | @@ -391,11 +391,11 @@ PREFIX(scanEndTag)(const ENCODING *enc, const char *ptr, | ||
557 | *nextTokPtr = ptr; | ||
558 | return XML_TOK_INVALID; | ||
559 | } | ||
560 | - while (ptr != end) { | ||
561 | + while (ptr < end) { | ||
562 | switch (BYTE_TYPE(enc, ptr)) { | ||
563 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
564 | case BT_S: case BT_CR: case BT_LF: | ||
565 | - for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { | ||
566 | + for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { | ||
567 | switch (BYTE_TYPE(enc, ptr)) { | ||
568 | case BT_S: case BT_CR: case BT_LF: | ||
569 | break; | ||
570 | @@ -432,7 +432,7 @@ static int PTRCALL | ||
571 | PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr, | ||
572 | const char *end, const char **nextTokPtr) | ||
573 | { | ||
574 | - if (ptr != end) { | ||
575 | + if (ptr < end) { | ||
576 | switch (BYTE_TYPE(enc, ptr)) { | ||
577 | case BT_DIGIT: | ||
578 | case BT_HEX: | ||
579 | @@ -441,7 +441,7 @@ PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr, | ||
580 | *nextTokPtr = ptr; | ||
581 | return XML_TOK_INVALID; | ||
582 | } | ||
583 | - for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { | ||
584 | + for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { | ||
585 | switch (BYTE_TYPE(enc, ptr)) { | ||
586 | case BT_DIGIT: | ||
587 | case BT_HEX: | ||
588 | @@ -464,7 +464,7 @@ static int PTRCALL | ||
589 | PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr, | ||
590 | const char *end, const char **nextTokPtr) | ||
591 | { | ||
592 | - if (ptr != end) { | ||
593 | + if (ptr < end) { | ||
594 | if (CHAR_MATCHES(enc, ptr, ASCII_x)) | ||
595 | return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr); | ||
596 | switch (BYTE_TYPE(enc, ptr)) { | ||
597 | @@ -474,7 +474,7 @@ PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr, | ||
598 | *nextTokPtr = ptr; | ||
599 | return XML_TOK_INVALID; | ||
600 | } | ||
601 | - for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) { | ||
602 | + for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) { | ||
603 | switch (BYTE_TYPE(enc, ptr)) { | ||
604 | case BT_DIGIT: | ||
605 | break; | ||
606 | @@ -506,7 +506,7 @@ PREFIX(scanRef)(const ENCODING *enc, const char *ptr, const char *end, | ||
607 | *nextTokPtr = ptr; | ||
608 | return XML_TOK_INVALID; | ||
609 | } | ||
610 | - while (ptr != end) { | ||
611 | + while (ptr < end) { | ||
612 | switch (BYTE_TYPE(enc, ptr)) { | ||
613 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
614 | case BT_SEMI: | ||
615 | @@ -529,7 +529,7 @@ PREFIX(scanAtts)(const ENCODING *enc, const char *ptr, const char *end, | ||
616 | #ifdef XML_NS | ||
617 | int hadColon = 0; | ||
618 | #endif | ||
619 | - while (ptr != end) { | ||
620 | + while (ptr < end) { | ||
621 | switch (BYTE_TYPE(enc, ptr)) { | ||
622 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
623 | #ifdef XML_NS | ||
624 | @@ -716,7 +716,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end, | ||
625 | hadColon = 0; | ||
626 | #endif | ||
627 | /* we have a start-tag */ | ||
628 | - while (ptr != end) { | ||
629 | + while (ptr < end) { | ||
630 | switch (BYTE_TYPE(enc, ptr)) { | ||
631 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
632 | #ifdef XML_NS | ||
633 | @@ -740,7 +740,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end, | ||
634 | case BT_S: case BT_CR: case BT_LF: | ||
635 | { | ||
636 | ptr += MINBPC(enc); | ||
637 | - while (ptr != end) { | ||
638 | + while (ptr < end) { | ||
639 | switch (BYTE_TYPE(enc, ptr)) { | ||
640 | CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr) | ||
641 | case BT_GT: | ||
642 | @@ -785,7 +785,7 @@ static int PTRCALL | ||
643 | PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end, | ||
644 | const char **nextTokPtr) | ||
645 | { | ||
646 | - if (ptr == end) | ||
647 | + if (ptr >= end) | ||
648 | return XML_TOK_NONE; | ||
649 | if (MINBPC(enc) > 1) { | ||
650 | size_t n = end - ptr; | ||
651 | @@ -832,7 +832,7 @@ PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end, | ||
652 | ptr += MINBPC(enc); | ||
653 | break; | ||
654 | } | ||
655 | - while (ptr != end) { | ||
656 | + while (ptr < end) { | ||
657 | switch (BYTE_TYPE(enc, ptr)) { | ||
658 | #define LEAD_CASE(n) \ | ||
659 | case BT_LEAD ## n: \ | ||
660 | @@ -895,7 +895,7 @@ PREFIX(scanPercent)(const ENCODING *enc, const char *ptr, const char *end, | ||
661 | *nextTokPtr = ptr; | ||
662 | return XML_TOK_INVALID; | ||
663 | } | ||
664 | - while (ptr != end) { | ||
665 | + while (ptr < end) { | ||
666 | switch (BYTE_TYPE(enc, ptr)) { | ||
667 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
668 | case BT_SEMI: | ||
669 | @@ -921,7 +921,7 @@ PREFIX(scanPoundName)(const ENCODING *enc, const char *ptr, const char *end, | ||
670 | *nextTokPtr = ptr; | ||
671 | return XML_TOK_INVALID; | ||
672 | } | ||
673 | - while (ptr != end) { | ||
674 | + while (ptr < end) { | ||
675 | switch (BYTE_TYPE(enc, ptr)) { | ||
676 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
677 | case BT_CR: case BT_LF: case BT_S: | ||
678 | @@ -941,7 +941,7 @@ PREFIX(scanLit)(int open, const ENCODING *enc, | ||
679 | const char *ptr, const char *end, | ||
680 | const char **nextTokPtr) | ||
681 | { | ||
682 | - while (ptr != end) { | ||
683 | + while (ptr < end) { | ||
684 | int t = BYTE_TYPE(enc, ptr); | ||
685 | switch (t) { | ||
686 | INVALID_CASES(ptr, nextTokPtr) | ||
687 | @@ -973,7 +973,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, | ||
688 | const char **nextTokPtr) | ||
689 | { | ||
690 | int tok; | ||
691 | - if (ptr == end) | ||
692 | + if (ptr >= end) | ||
693 | return XML_TOK_NONE; | ||
694 | if (MINBPC(enc) > 1) { | ||
695 | size_t n = end - ptr; | ||
696 | @@ -1141,7 +1141,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, | ||
697 | *nextTokPtr = ptr; | ||
698 | return XML_TOK_INVALID; | ||
699 | } | ||
700 | - while (ptr != end) { | ||
701 | + while (ptr < end) { | ||
702 | switch (BYTE_TYPE(enc, ptr)) { | ||
703 | CHECK_NAME_CASES(enc, ptr, end, nextTokPtr) | ||
704 | case BT_GT: case BT_RPAR: case BT_COMMA: | ||
705 | @@ -1204,10 +1204,10 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, | ||
706 | const char *end, const char **nextTokPtr) | ||
707 | { | ||
708 | const char *start; | ||
709 | - if (ptr == end) | ||
710 | + if (ptr >= end) | ||
711 | return XML_TOK_NONE; | ||
712 | start = ptr; | ||
713 | - while (ptr != end) { | ||
714 | + while (ptr < end) { | ||
715 | switch (BYTE_TYPE(enc, ptr)) { | ||
716 | #define LEAD_CASE(n) \ | ||
717 | case BT_LEAD ## n: ptr += n; break; | ||
718 | @@ -1262,10 +1262,10 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, | ||
719 | const char *end, const char **nextTokPtr) | ||
720 | { | ||
721 | const char *start; | ||
722 | - if (ptr == end) | ||
723 | + if (ptr >= end) | ||
724 | return XML_TOK_NONE; | ||
725 | start = ptr; | ||
726 | - while (ptr != end) { | ||
727 | + while (ptr < end) { | ||
728 | switch (BYTE_TYPE(enc, ptr)) { | ||
729 | #define LEAD_CASE(n) \ | ||
730 | case BT_LEAD ## n: ptr += n; break; | ||
731 | @@ -1326,7 +1326,7 @@ PREFIX(ignoreSectionTok)(const ENCODING *enc, const char *ptr, | ||
732 | end = ptr + n; | ||
733 | } | ||
734 | } | ||
735 | - while (ptr != end) { | ||
736 | + while (ptr < end) { | ||
737 | switch (BYTE_TYPE(enc, ptr)) { | ||
738 | INVALID_CASES(ptr, nextTokPtr) | ||
739 | case BT_LT: | ||
740 | @@ -1373,7 +1373,7 @@ PREFIX(isPublicId)(const ENCODING *enc, const char *ptr, const char *end, | ||
741 | { | ||
742 | ptr += MINBPC(enc); | ||
743 | end -= MINBPC(enc); | ||
744 | - for (; ptr != end; ptr += MINBPC(enc)) { | ||
745 | + for (; ptr < end; ptr += MINBPC(enc)) { | ||
746 | switch (BYTE_TYPE(enc, ptr)) { | ||
747 | case BT_DIGIT: | ||
748 | case BT_HEX: | ||
749 | @@ -1760,7 +1760,7 @@ PREFIX(updatePosition)(const ENCODING *enc, | ||
750 | case BT_CR: | ||
751 | pos->lineNumber++; | ||
752 | ptr += MINBPC(enc); | ||
753 | - if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF) | ||
754 | + if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF) | ||
755 | ptr += MINBPC(enc); | ||
756 | pos->columnNumber = (XML_Size)-1; | ||
757 | break; | ||
758 | -- | ||
759 | 2.8.2 | ||
760 | |||