[libxslt] Lower and upper bound for format token "i"
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxslt] Lower and upper bound for format token "i"
- Date: Sun, 10 Apr 2016 11:47:34 +0000 (UTC)
commit 91d0540ac9beaa86719a05b749219a69baa0dd8d
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Sun Apr 10 13:12:28 2016 +0200
Lower and upper bound for format token "i"
Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
Also introduce an upper bound to fix a denial of service.
libxslt/numbers.c | 25 ++++++++++++++++---------
1 files changed, 16 insertions(+), 9 deletions(-)
---
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index af52883..e769c42 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
}
static void
-xsltNumberFormatRoman(xmlBufferPtr buffer,
+xsltNumberFormatRoman(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
/*
+ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
+ * bound to avoid denial of service.
+ */
+ if (number < 1.0 || number > 5000.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
+ /*
* Based on an example by Jim Walsh
*/
while (number >= 1000.0) {
@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
- xsltNumberFormatRoman(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatRoman(data, buffer, number, TRUE);
break;
case 'i':
- xsltNumberFormatRoman(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatRoman(data, buffer, number, FALSE);
break;
default:
if (IS_DIGIT_ZERO(token->token)) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
