svn commit: r1667870 - /xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp

Thu, 19 Mar 2015 13:57:07 -0700 

Author: scantor
Date: Thu Mar 19 20:56:46 2015
New Revision: 1667870

URL: http://svn.apache.org/r1667870
Log:
Work on XML declaration handling

Modified:
    xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp

Modified: xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp
URL: 
http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp?rev=1667870&r1=1667869&r2=1667870&view=diff
==============================================================================
--- xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp (original)
+++ xerces/c/branches/xerces-3.1/src/xercesc/internal/XMLReader.cpp Thu Mar 19 
20:56:46 2015
@@ -1459,6 +1459,17 @@ void XMLReader::doInitDecode()
 
             while (fRawBufIndex < fRawBytesAvail)
             {
+                // Security fix: make sure there are at least sizeof(UCS4Ch) 
bytes to consume.
+                if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
+                    ThrowXMLwithMemMgr1
+                    (
+                        TranscodingException
+                        , XMLExcepts::Reader_CouldNotDecodeFirstLine
+                        , fSystemId
+                        , fMemoryManager
+                    );
+                }
+
                 // Get out the current 4 byte value and inc our raw buf index
                 UCS4Ch curVal = *asUCS++;
                 fRawBufIndex += sizeof(UCS4Ch);
@@ -1618,6 +1629,17 @@ void XMLReader::doInitDecode()
 
             while (fRawBufIndex < fRawBytesAvail)
             {
+                // Security fix: make sure there are at least sizeof(UTF16Ch) 
bytes to consume.
+                if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
+                    ThrowXMLwithMemMgr1
+                    (
+                        TranscodingException
+                        , XMLExcepts::Reader_CouldNotDecodeFirstLine
+                        , fSystemId
+                        , fMemoryManager
+                    );
+                }
+
                 // Get out the current 2 byte value
                 UTF16Ch curVal = *asUTF16++;
                 fRawBufIndex += sizeof(UTF16Ch);
@@ -1707,6 +1729,17 @@ void XMLReader::doInitDecode()
 //
 void XMLReader::refreshRawBuffer()
 {
+    // Security fix: make sure we don't underflow on the subtraction.
+    if (fRawBufIndex > fRawBytesAvail) {
+        ThrowXMLwithMemMgr1
+        (
+            RuntimeException
+            , XMLExcepts::Str_StartIndexPastEnd
+            , fSystemId
+            , fMemoryManager
+        );
+    }
+
     //
     //  If there are any bytes left, move them down to the start. There
     //  should only ever be (max bytes per char - 1) at the most.



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to