summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2016-06-17 11:20:58 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-06-23 14:26:14 +0100
commita02911390cc09d9f2ac15142982142c459a143d5 (patch)
treecddb42ea5a7d0481fa136f4926b80ebeab4c8fbe /meta
parentc0238cb902054296025446ed41a98bf4ed89dd04 (diff)
downloadpoky-a02911390cc09d9f2ac15142982142c459a143d5.tar.gz
expat: CVE-2016-0718
Fix CVE-2016-0718: expat XML parser crashes on malformed input External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718 https://bugzilla.redhat.com/show_bug.cgi?id=1296102 https://bugzilla.suse.com/show_bug.cgi?id=979441 Patch from: https://bugzilla.redhat.com/show_bug.cgi?id=1296102 (From OE-Core rev: 6589de727ba9c9901fdd53d31bd88ad0f17f3905) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/expat/expat.inc1
-rw-r--r--meta/recipes-core/expat/expat/CVE-2016-0718.patch760
2 files changed, 761 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat.inc b/meta/recipes-core/expat/expat.inc
index fe9d7e74f0..3d8429c513 100644
--- a/meta/recipes-core/expat/expat.inc
+++ b/meta/recipes-core/expat/expat.inc
@@ -6,6 +6,7 @@ LICENSE = "MIT"
6 6
7SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \ 7SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
8 file://autotools.patch \ 8 file://autotools.patch \
9 file://CVE-2016-0718.patch \
9 " 10 "
10 11
11inherit autotools lib_package gzipnative 12inherit autotools lib_package gzipnative
diff --git a/meta/recipes-core/expat/expat/CVE-2016-0718.patch b/meta/recipes-core/expat/expat/CVE-2016-0718.patch
new file mode 100644
index 0000000000..3fff5e9b0e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2016-0718.patch
@@ -0,0 +1,760 @@
1From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Mon, 2 May 2016 00:02:44 +0200
4Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1)
5
6* Out of bounds memory access when doing text conversion on malformed input
7* Integer overflow related to memory allocation
8
9Reported by Gustavo Grieco
10
11Patch credits go to
12* Christian Heimes
13* Karl Waclawek
14* Gustavo Grieco
15* Sebastian Pipping
16* Pascal Cuoq
17
18CVE: CVE-2016-0718
19Upstream-Status: Backport
20
21Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
22---
23 expat/lib/xmlparse.c | 34 +++++++++-----
24 expat/lib/xmltok.c | 115 +++++++++++++++++++++++++++++++++++-------------
25 expat/lib/xmltok.h | 10 ++++-
26 expat/lib/xmltok_impl.c | 62 +++++++++++++-------------
27 4 files changed, 146 insertions(+), 75 deletions(-)
28
29diff --git a/lib/xmlparse.c b/lib/xmlparse.c
30index e308c79..13e080d 100644
31--- a/lib/xmlparse.c
32+++ b/lib/xmlparse.c
33@@ -2426,11 +2426,11 @@ doContent(XML_Parser parser,
34 for (;;) {
35 int bufSize;
36 int convLen;
37- XmlConvert(enc,
38+ const enum XML_Convert_Result convert_res = XmlConvert(enc,
39 &fromPtr, rawNameEnd,
40 (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
41 convLen = (int)(toPtr - (XML_Char *)tag->buf);
42- if (fromPtr == rawNameEnd) {
43+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
44 tag->name.strLen = convLen;
45 break;
46 }
47@@ -2651,11 +2651,11 @@ doContent(XML_Parser parser,
48 if (MUST_CONVERT(enc, s)) {
49 for (;;) {
50 ICHAR *dataPtr = (ICHAR *)dataBuf;
51- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
52+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
53 *eventEndPP = s;
54 charDataHandler(handlerArg, dataBuf,
55 (int)(dataPtr - (ICHAR *)dataBuf));
56- if (s == next)
57+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
58 break;
59 *eventPP = s;
60 }
61@@ -3261,11 +3261,11 @@ doCdataSection(XML_Parser parser,
62 if (MUST_CONVERT(enc, s)) {
63 for (;;) {
64 ICHAR *dataPtr = (ICHAR *)dataBuf;
65- XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
66+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
67 *eventEndPP = next;
68 charDataHandler(handlerArg, dataBuf,
69 (int)(dataPtr - (ICHAR *)dataBuf));
70- if (s == next)
71+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
72 break;
73 *eventPP = s;
74 }
75@@ -5342,6 +5342,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
76 const char *s, const char *end)
77 {
78 if (MUST_CONVERT(enc, s)) {
79+ enum XML_Convert_Result convert_res;
80 const char **eventPP;
81 const char **eventEndPP;
82 if (enc == encoding) {
83@@ -5354,11 +5355,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
84 }
85 do {
86 ICHAR *dataPtr = (ICHAR *)dataBuf;
87- XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
88+ convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
89 *eventEndPP = s;
90 defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
91 *eventPP = s;
92- } while (s != end);
93+ } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
94 }
95 else
96 defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
97@@ -6163,8 +6164,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc,
98 if (!pool->ptr && !poolGrow(pool))
99 return NULL;
100 for (;;) {
101- XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
102- if (ptr == end)
103+ const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
104+ if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
105 break;
106 if (!poolGrow(pool))
107 return NULL;
108@@ -6248,8 +6249,13 @@ poolGrow(STRING_POOL *pool)
109 }
110 }
111 if (pool->blocks && pool->start == pool->blocks->s) {
112- int blockSize = (int)(pool->end - pool->start)*2;
113- BLOCK *temp = (BLOCK *)
114+ BLOCK *temp;
115+ int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
116+
117+ if (blockSize < 0)
118+ return XML_FALSE;
119+
120+ temp = (BLOCK *)
121 pool->mem->realloc_fcn(pool->blocks,
122 (offsetof(BLOCK, s)
123 + blockSize * sizeof(XML_Char)));
124@@ -6264,6 +6270,10 @@ poolGrow(STRING_POOL *pool)
125 else {
126 BLOCK *tem;
127 int blockSize = (int)(pool->end - pool->start);
128+
129+ if (blockSize < 0)
130+ return XML_FALSE;
131+
132 if (blockSize < INIT_BLOCK_SIZE)
133 blockSize = INIT_BLOCK_SIZE;
134 else
135diff --git a/lib/xmltok.c b/lib/xmltok.c
136index bf09dfc..cb98ce1 100644
137--- a/lib/xmltok.c
138+++ b/lib/xmltok.c
139@@ -318,39 +318,55 @@ enum { /* UTF8_cvalN is value of masked first byte of N byte sequence */
140 UTF8_cval4 = 0xf0
141 };
142
143-static void PTRCALL
144+static enum XML_Convert_Result PTRCALL
145 utf8_toUtf8(const ENCODING *enc,
146 const char **fromP, const char *fromLim,
147 char **toP, const char *toLim)
148 {
149+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
150 char *to;
151 const char *from;
152 if (fromLim - *fromP > toLim - *toP) {
153 /* Avoid copying partial characters. */
154+ res = XML_CONVERT_OUTPUT_EXHAUSTED;
155 for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--)
156 if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
157 break;
158 }
159- for (to = *toP, from = *fromP; from != fromLim; from++, to++)
160+ for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
161 *to = *from;
162 *fromP = from;
163 *toP = to;
164+
165+ if ((to == toLim) && (from < fromLim))
166+ return XML_CONVERT_OUTPUT_EXHAUSTED;
167+ else
168+ return res;
169 }
170
171-static void PTRCALL
172+static enum XML_Convert_Result PTRCALL
173 utf8_toUtf16(const ENCODING *enc,
174 const char **fromP, const char *fromLim,
175 unsigned short **toP, const unsigned short *toLim)
176 {
177+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
178 unsigned short *to = *toP;
179 const char *from = *fromP;
180- while (from != fromLim && to != toLim) {
181+ while (from < fromLim && to < toLim) {
182 switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
183 case BT_LEAD2:
184+ if (fromLim - from < 2) {
185+ res = XML_CONVERT_INPUT_INCOMPLETE;
186+ break;
187+ }
188 *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
189 from += 2;
190 break;
191 case BT_LEAD3:
192+ if (fromLim - from < 3) {
193+ res = XML_CONVERT_INPUT_INCOMPLETE;
194+ break;
195+ }
196 *to++ = (unsigned short)(((from[0] & 0xf) << 12)
197 | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
198 from += 3;
199@@ -358,8 +374,14 @@ utf8_toUtf16(const ENCODING *enc,
200 case BT_LEAD4:
201 {
202 unsigned long n;
203- if (to + 1 == toLim)
204+ if (toLim - to < 2) {
205+ res = XML_CONVERT_OUTPUT_EXHAUSTED;
206 goto after;
207+ }
208+ if (fromLim - from < 4) {
209+ res = XML_CONVERT_INPUT_INCOMPLETE;
210+ goto after;
211+ }
212 n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
213 | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
214 n -= 0x10000;
215@@ -377,6 +399,7 @@ utf8_toUtf16(const ENCODING *enc,
216 after:
217 *fromP = from;
218 *toP = to;
219+ return res;
220 }
221
222 #ifdef XML_NS
223@@ -425,7 +448,7 @@ static const struct normal_encoding internal_utf8_encoding = {
224 STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_)
225 };
226
227-static void PTRCALL
228+static enum XML_Convert_Result PTRCALL
229 latin1_toUtf8(const ENCODING *enc,
230 const char **fromP, const char *fromLim,
231 char **toP, const char *toLim)
232@@ -433,30 +456,35 @@ latin1_toUtf8(const ENCODING *enc,
233 for (;;) {
234 unsigned char c;
235 if (*fromP == fromLim)
236- break;
237+ return XML_CONVERT_COMPLETED;
238 c = (unsigned char)**fromP;
239 if (c & 0x80) {
240 if (toLim - *toP < 2)
241- break;
242+ return XML_CONVERT_OUTPUT_EXHAUSTED;
243 *(*toP)++ = (char)((c >> 6) | UTF8_cval2);
244 *(*toP)++ = (char)((c & 0x3f) | 0x80);
245 (*fromP)++;
246 }
247 else {
248 if (*toP == toLim)
249- break;
250+ return XML_CONVERT_OUTPUT_EXHAUSTED;
251 *(*toP)++ = *(*fromP)++;
252 }
253 }
254 }
255
256-static void PTRCALL
257+static enum XML_Convert_Result PTRCALL
258 latin1_toUtf16(const ENCODING *enc,
259 const char **fromP, const char *fromLim,
260 unsigned short **toP, const unsigned short *toLim)
261 {
262- while (*fromP != fromLim && *toP != toLim)
263+ while (*fromP < fromLim && *toP < toLim)
264 *(*toP)++ = (unsigned char)*(*fromP)++;
265+
266+ if ((*toP == toLim) && (*fromP < fromLim))
267+ return XML_CONVERT_OUTPUT_EXHAUSTED;
268+ else
269+ return XML_CONVERT_COMPLETED;
270 }
271
272 #ifdef XML_NS
273@@ -483,13 +511,18 @@ static const struct normal_encoding latin1_encoding = {
274 STANDARD_VTABLE(sb_)
275 };
276
277-static void PTRCALL
278+static enum XML_Convert_Result PTRCALL
279 ascii_toUtf8(const ENCODING *enc,
280 const char **fromP, const char *fromLim,
281 char **toP, const char *toLim)
282 {
283- while (*fromP != fromLim && *toP != toLim)
284+ while (*fromP < fromLim && *toP < toLim)
285 *(*toP)++ = *(*fromP)++;
286+
287+ if ((*toP == toLim) && (*fromP < fromLim))
288+ return XML_CONVERT_OUTPUT_EXHAUSTED;
289+ else
290+ return XML_CONVERT_COMPLETED;
291 }
292
293 #ifdef XML_NS
294@@ -536,13 +569,14 @@ unicode_byte_type(char hi, char lo)
295 }
296
297 #define DEFINE_UTF16_TO_UTF8(E) \
298-static void PTRCALL \
299+static enum XML_Convert_Result PTRCALL \
300 E ## toUtf8(const ENCODING *enc, \
301 const char **fromP, const char *fromLim, \
302 char **toP, const char *toLim) \
303 { \
304- const char *from; \
305- for (from = *fromP; from != fromLim; from += 2) { \
306+ const char *from = *fromP; \
307+ fromLim = from + (((fromLim - from) >> 1) << 1); /* shrink to even */ \
308+ for (; from < fromLim; from += 2) { \
309 int plane; \
310 unsigned char lo2; \
311 unsigned char lo = GET_LO(from); \
312@@ -552,7 +586,7 @@ E ## toUtf8(const ENCODING *enc, \
313 if (lo < 0x80) { \
314 if (*toP == toLim) { \
315 *fromP = from; \
316- return; \
317+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
318 } \
319 *(*toP)++ = lo; \
320 break; \
321@@ -562,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \
322 case 0x4: case 0x5: case 0x6: case 0x7: \
323 if (toLim - *toP < 2) { \
324 *fromP = from; \
325- return; \
326+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
327 } \
328 *(*toP)++ = ((lo >> 6) | (hi << 2) | UTF8_cval2); \
329 *(*toP)++ = ((lo & 0x3f) | 0x80); \
330@@ -570,7 +604,7 @@ E ## toUtf8(const ENCODING *enc, \
331 default: \
332 if (toLim - *toP < 3) { \
333 *fromP = from; \
334- return; \
335+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
336 } \
337 /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \
338 *(*toP)++ = ((hi >> 4) | UTF8_cval3); \
339@@ -580,7 +614,11 @@ E ## toUtf8(const ENCODING *enc, \
340 case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
341 if (toLim - *toP < 4) { \
342 *fromP = from; \
343- return; \
344+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
345+ } \
346+ if (fromLim - from < 4) { \
347+ *fromP = from; \
348+ return XML_CONVERT_INPUT_INCOMPLETE; \
349 } \
350 plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \
351 *(*toP)++ = ((plane >> 2) | UTF8_cval4); \
352@@ -596,20 +634,32 @@ E ## toUtf8(const ENCODING *enc, \
353 } \
354 } \
355 *fromP = from; \
356+ if (from < fromLim) \
357+ return XML_CONVERT_INPUT_INCOMPLETE; \
358+ else \
359+ return XML_CONVERT_COMPLETED; \
360 }
361
362 #define DEFINE_UTF16_TO_UTF16(E) \
363-static void PTRCALL \
364+static enum XML_Convert_Result PTRCALL \
365 E ## toUtf16(const ENCODING *enc, \
366 const char **fromP, const char *fromLim, \
367 unsigned short **toP, const unsigned short *toLim) \
368 { \
369+ enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \
370+ fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1); /* shrink to even */ \
371 /* Avoid copying first half only of surrogate */ \
372 if (fromLim - *fromP > ((toLim - *toP) << 1) \
373- && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \
374+ && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \
375 fromLim -= 2; \
376- for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \
377+ res = XML_CONVERT_INPUT_INCOMPLETE; \
378+ } \
379+ for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \
380 *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \
381+ if ((*toP == toLim) && (*fromP < fromLim)) \
382+ return XML_CONVERT_OUTPUT_EXHAUSTED; \
383+ else \
384+ return res; \
385 }
386
387 #define SET2(ptr, ch) \
388@@ -1288,7 +1338,7 @@ unknown_isInvalid(const ENCODING *enc, const char *p)
389 return (c & ~0xFFFF) || checkCharRefNumber(c) < 0;
390 }
391
392-static void PTRCALL
393+static enum XML_Convert_Result PTRCALL
394 unknown_toUtf8(const ENCODING *enc,
395 const char **fromP, const char *fromLim,
396 char **toP, const char *toLim)
397@@ -1299,21 +1349,21 @@ unknown_toUtf8(const ENCODING *enc,
398 const char *utf8;
399 int n;
400 if (*fromP == fromLim)
401- break;
402+ return XML_CONVERT_COMPLETED;
403 utf8 = uenc->utf8[(unsigned char)**fromP];
404 n = *utf8++;
405 if (n == 0) {
406 int c = uenc->convert(uenc->userData, *fromP);
407 n = XmlUtf8Encode(c, buf);
408 if (n > toLim - *toP)
409- break;
410+ return XML_CONVERT_OUTPUT_EXHAUSTED;
411 utf8 = buf;
412 *fromP += (AS_NORMAL_ENCODING(enc)->type[(unsigned char)**fromP]
413 - (BT_LEAD2 - 2));
414 }
415 else {
416 if (n > toLim - *toP)
417- break;
418+ return XML_CONVERT_OUTPUT_EXHAUSTED;
419 (*fromP)++;
420 }
421 do {
422@@ -1322,13 +1372,13 @@ unknown_toUtf8(const ENCODING *enc,
423 }
424 }
425
426-static void PTRCALL
427+static enum XML_Convert_Result PTRCALL
428 unknown_toUtf16(const ENCODING *enc,
429 const char **fromP, const char *fromLim,
430 unsigned short **toP, const unsigned short *toLim)
431 {
432 const struct unknown_encoding *uenc = AS_UNKNOWN_ENCODING(enc);
433- while (*fromP != fromLim && *toP != toLim) {
434+ while (*fromP < fromLim && *toP < toLim) {
435 unsigned short c = uenc->utf16[(unsigned char)**fromP];
436 if (c == 0) {
437 c = (unsigned short)
438@@ -1340,6 +1390,11 @@ unknown_toUtf16(const ENCODING *enc,
439 (*fromP)++;
440 *(*toP)++ = c;
441 }
442+
443+ if ((*toP == toLim) && (*fromP < fromLim))
444+ return XML_CONVERT_OUTPUT_EXHAUSTED;
445+ else
446+ return XML_CONVERT_COMPLETED;
447 }
448
449 ENCODING *
450@@ -1503,7 +1558,7 @@ initScan(const ENCODING * const *encodingTable,
451 {
452 const ENCODING **encPtr;
453
454- if (ptr == end)
455+ if (ptr >= end)
456 return XML_TOK_NONE;
457 encPtr = enc->encPtr;
458 if (ptr + 1 == end) {
459diff --git a/lib/xmltok.h b/lib/xmltok.h
460index ca867aa..752007e 100644
461--- a/lib/xmltok.h
462+++ b/lib/xmltok.h
463@@ -130,6 +130,12 @@ typedef int (PTRCALL *SCANNER)(const ENCODING *,
464 const char *,
465 const char **);
466
467+enum XML_Convert_Result {
468+ XML_CONVERT_COMPLETED = 0,
469+ XML_CONVERT_INPUT_INCOMPLETE = 1,
470+ XML_CONVERT_OUTPUT_EXHAUSTED = 2 /* and therefore potentially input remaining as well */
471+};
472+
473 struct encoding {
474 SCANNER scanners[XML_N_STATES];
475 SCANNER literalScanners[XML_N_LITERAL_TYPES];
476@@ -158,12 +164,12 @@ struct encoding {
477 const char *ptr,
478 const char *end,
479 const char **badPtr);
480- void (PTRCALL *utf8Convert)(const ENCODING *enc,
481+ enum XML_Convert_Result (PTRCALL *utf8Convert)(const ENCODING *enc,
482 const char **fromP,
483 const char *fromLim,
484 char **toP,
485 const char *toLim);
486- void (PTRCALL *utf16Convert)(const ENCODING *enc,
487+ enum XML_Convert_Result (PTRCALL *utf16Convert)(const ENCODING *enc,
488 const char **fromP,
489 const char *fromLim,
490 unsigned short **toP,
491diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
492index 9c2895b..6c5a3ba 100644
493--- a/lib/xmltok_impl.c
494+++ b/lib/xmltok_impl.c
495@@ -93,13 +93,13 @@ static int PTRCALL
496 PREFIX(scanComment)(const ENCODING *enc, const char *ptr,
497 const char *end, const char **nextTokPtr)
498 {
499- if (ptr != end) {
500+ if (ptr < end) {
501 if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) {
502 *nextTokPtr = ptr;
503 return XML_TOK_INVALID;
504 }
505 ptr += MINBPC(enc);
506- while (ptr != end) {
507+ while (ptr < end) {
508 switch (BYTE_TYPE(enc, ptr)) {
509 INVALID_CASES(ptr, nextTokPtr)
510 case BT_MINUS:
511@@ -147,7 +147,7 @@ PREFIX(scanDecl)(const ENCODING *enc, const char *ptr,
512 *nextTokPtr = ptr;
513 return XML_TOK_INVALID;
514 }
515- while (ptr != end) {
516+ while (ptr < end) {
517 switch (BYTE_TYPE(enc, ptr)) {
518 case BT_PERCNT:
519 if (ptr + MINBPC(enc) == end)
520@@ -233,7 +233,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
521 *nextTokPtr = ptr;
522 return XML_TOK_INVALID;
523 }
524- while (ptr != end) {
525+ while (ptr < end) {
526 switch (BYTE_TYPE(enc, ptr)) {
527 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
528 case BT_S: case BT_CR: case BT_LF:
529@@ -242,7 +242,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
530 return XML_TOK_INVALID;
531 }
532 ptr += MINBPC(enc);
533- while (ptr != end) {
534+ while (ptr < end) {
535 switch (BYTE_TYPE(enc, ptr)) {
536 INVALID_CASES(ptr, nextTokPtr)
537 case BT_QUEST:
538@@ -305,7 +305,7 @@ static int PTRCALL
539 PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
540 const char *end, const char **nextTokPtr)
541 {
542- if (ptr == end)
543+ if (ptr >= end)
544 return XML_TOK_NONE;
545 if (MINBPC(enc) > 1) {
546 size_t n = end - ptr;
547@@ -348,7 +348,7 @@ PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
548 ptr += MINBPC(enc);
549 break;
550 }
551- while (ptr != end) {
552+ while (ptr < end) {
553 switch (BYTE_TYPE(enc, ptr)) {
554 #define LEAD_CASE(n) \
555 case BT_LEAD ## n: \
556@@ -391,11 +391,11 @@ PREFIX(scanEndTag)(const ENCODING *enc, const char *ptr,
557 *nextTokPtr = ptr;
558 return XML_TOK_INVALID;
559 }
560- while (ptr != end) {
561+ while (ptr < end) {
562 switch (BYTE_TYPE(enc, ptr)) {
563 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
564 case BT_S: case BT_CR: case BT_LF:
565- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
566+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
567 switch (BYTE_TYPE(enc, ptr)) {
568 case BT_S: case BT_CR: case BT_LF:
569 break;
570@@ -432,7 +432,7 @@ static int PTRCALL
571 PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
572 const char *end, const char **nextTokPtr)
573 {
574- if (ptr != end) {
575+ if (ptr < end) {
576 switch (BYTE_TYPE(enc, ptr)) {
577 case BT_DIGIT:
578 case BT_HEX:
579@@ -441,7 +441,7 @@ PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
580 *nextTokPtr = ptr;
581 return XML_TOK_INVALID;
582 }
583- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
584+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
585 switch (BYTE_TYPE(enc, ptr)) {
586 case BT_DIGIT:
587 case BT_HEX:
588@@ -464,7 +464,7 @@ static int PTRCALL
589 PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
590 const char *end, const char **nextTokPtr)
591 {
592- if (ptr != end) {
593+ if (ptr < end) {
594 if (CHAR_MATCHES(enc, ptr, ASCII_x))
595 return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr);
596 switch (BYTE_TYPE(enc, ptr)) {
597@@ -474,7 +474,7 @@ PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
598 *nextTokPtr = ptr;
599 return XML_TOK_INVALID;
600 }
601- for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
602+ for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
603 switch (BYTE_TYPE(enc, ptr)) {
604 case BT_DIGIT:
605 break;
606@@ -506,7 +506,7 @@ PREFIX(scanRef)(const ENCODING *enc, const char *ptr, const char *end,
607 *nextTokPtr = ptr;
608 return XML_TOK_INVALID;
609 }
610- while (ptr != end) {
611+ while (ptr < end) {
612 switch (BYTE_TYPE(enc, ptr)) {
613 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
614 case BT_SEMI:
615@@ -529,7 +529,7 @@ PREFIX(scanAtts)(const ENCODING *enc, const char *ptr, const char *end,
616 #ifdef XML_NS
617 int hadColon = 0;
618 #endif
619- while (ptr != end) {
620+ while (ptr < end) {
621 switch (BYTE_TYPE(enc, ptr)) {
622 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
623 #ifdef XML_NS
624@@ -716,7 +716,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
625 hadColon = 0;
626 #endif
627 /* we have a start-tag */
628- while (ptr != end) {
629+ while (ptr < end) {
630 switch (BYTE_TYPE(enc, ptr)) {
631 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
632 #ifdef XML_NS
633@@ -740,7 +740,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
634 case BT_S: case BT_CR: case BT_LF:
635 {
636 ptr += MINBPC(enc);
637- while (ptr != end) {
638+ while (ptr < end) {
639 switch (BYTE_TYPE(enc, ptr)) {
640 CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr)
641 case BT_GT:
642@@ -785,7 +785,7 @@ static int PTRCALL
643 PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
644 const char **nextTokPtr)
645 {
646- if (ptr == end)
647+ if (ptr >= end)
648 return XML_TOK_NONE;
649 if (MINBPC(enc) > 1) {
650 size_t n = end - ptr;
651@@ -832,7 +832,7 @@ PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
652 ptr += MINBPC(enc);
653 break;
654 }
655- while (ptr != end) {
656+ while (ptr < end) {
657 switch (BYTE_TYPE(enc, ptr)) {
658 #define LEAD_CASE(n) \
659 case BT_LEAD ## n: \
660@@ -895,7 +895,7 @@ PREFIX(scanPercent)(const ENCODING *enc, const char *ptr, const char *end,
661 *nextTokPtr = ptr;
662 return XML_TOK_INVALID;
663 }
664- while (ptr != end) {
665+ while (ptr < end) {
666 switch (BYTE_TYPE(enc, ptr)) {
667 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
668 case BT_SEMI:
669@@ -921,7 +921,7 @@ PREFIX(scanPoundName)(const ENCODING *enc, const char *ptr, const char *end,
670 *nextTokPtr = ptr;
671 return XML_TOK_INVALID;
672 }
673- while (ptr != end) {
674+ while (ptr < end) {
675 switch (BYTE_TYPE(enc, ptr)) {
676 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
677 case BT_CR: case BT_LF: case BT_S:
678@@ -941,7 +941,7 @@ PREFIX(scanLit)(int open, const ENCODING *enc,
679 const char *ptr, const char *end,
680 const char **nextTokPtr)
681 {
682- while (ptr != end) {
683+ while (ptr < end) {
684 int t = BYTE_TYPE(enc, ptr);
685 switch (t) {
686 INVALID_CASES(ptr, nextTokPtr)
687@@ -973,7 +973,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
688 const char **nextTokPtr)
689 {
690 int tok;
691- if (ptr == end)
692+ if (ptr >= end)
693 return XML_TOK_NONE;
694 if (MINBPC(enc) > 1) {
695 size_t n = end - ptr;
696@@ -1141,7 +1141,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
697 *nextTokPtr = ptr;
698 return XML_TOK_INVALID;
699 }
700- while (ptr != end) {
701+ while (ptr < end) {
702 switch (BYTE_TYPE(enc, ptr)) {
703 CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
704 case BT_GT: case BT_RPAR: case BT_COMMA:
705@@ -1204,10 +1204,10 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr,
706 const char *end, const char **nextTokPtr)
707 {
708 const char *start;
709- if (ptr == end)
710+ if (ptr >= end)
711 return XML_TOK_NONE;
712 start = ptr;
713- while (ptr != end) {
714+ while (ptr < end) {
715 switch (BYTE_TYPE(enc, ptr)) {
716 #define LEAD_CASE(n) \
717 case BT_LEAD ## n: ptr += n; break;
718@@ -1262,10 +1262,10 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr,
719 const char *end, const char **nextTokPtr)
720 {
721 const char *start;
722- if (ptr == end)
723+ if (ptr >= end)
724 return XML_TOK_NONE;
725 start = ptr;
726- while (ptr != end) {
727+ while (ptr < end) {
728 switch (BYTE_TYPE(enc, ptr)) {
729 #define LEAD_CASE(n) \
730 case BT_LEAD ## n: ptr += n; break;
731@@ -1326,7 +1326,7 @@ PREFIX(ignoreSectionTok)(const ENCODING *enc, const char *ptr,
732 end = ptr + n;
733 }
734 }
735- while (ptr != end) {
736+ while (ptr < end) {
737 switch (BYTE_TYPE(enc, ptr)) {
738 INVALID_CASES(ptr, nextTokPtr)
739 case BT_LT:
740@@ -1373,7 +1373,7 @@ PREFIX(isPublicId)(const ENCODING *enc, const char *ptr, const char *end,
741 {
742 ptr += MINBPC(enc);
743 end -= MINBPC(enc);
744- for (; ptr != end; ptr += MINBPC(enc)) {
745+ for (; ptr < end; ptr += MINBPC(enc)) {
746 switch (BYTE_TYPE(enc, ptr)) {
747 case BT_DIGIT:
748 case BT_HEX:
749@@ -1760,7 +1760,7 @@ PREFIX(updatePosition)(const ENCODING *enc,
750 case BT_CR:
751 pos->lineNumber++;
752 ptr += MINBPC(enc);
753- if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF)
754+ if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF)
755 ptr += MINBPC(enc);
756 pos->columnNumber = (XML_Size)-1;
757 break;
758--
7592.8.2
760