[libxml2] Fix integer overflow in xmlSchemaGetParticleTotalRangeMin

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix integer overflow in xmlSchemaGetParticleTotalRangeMin
Date: Tue, 15 Dec 2020 19:37:39 +0000 (UTC)

commit 8ca3a59b2ee57e2f30272272bb232c84d03b9edc
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Tue Dec 15 20:14:28 2020 +0100

    Fix integer overflow in xmlSchemaGetParticleTotalRangeMin
    
    The function is only used once and its return value is only checked for
    zero. Disable the function like its Max counterpart and add an
    implementation for the special case.
    
    Found by OSS-Fuzz.

 xmlschemas.c | 50 +++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 45 insertions(+), 5 deletions(-)
---
diff --git a/xmlschemas.c b/xmlschemas.c
index c455b4a3..1efd0962 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -14721,6 +14721,7 @@ xmlSchemaGetUnionSimpleTypeMemberTypes(xmlSchemaTypePtr type)
     return (NULL);
 }
 
+#if 0
 /**
  * xmlSchemaGetParticleTotalRangeMin:
  * @particle: the particle
@@ -14776,7 +14777,6 @@ xmlSchemaGetParticleTotalRangeMin(xmlSchemaParticlePtr particle)
     }
 }
 
-#if 0
 /**
  * xmlSchemaGetParticleTotalRangeMax:
  * @particle: the particle
@@ -14838,6 +14838,48 @@ xmlSchemaGetParticleTotalRangeMax(xmlSchemaParticlePtr particle)
 }
 #endif
 
+/**
+ * xmlSchemaGetParticleEmptiable:
+ * @particle: the particle
+ *
+ * Returns 1 if emptiable, 0 otherwise.
+ */
+static int
+xmlSchemaGetParticleEmptiable(xmlSchemaParticlePtr particle)
+{
+    xmlSchemaParticlePtr part;
+    int emptiable;
+
+    if ((particle->children == NULL) || (particle->minOccurs == 0))
+       return (1);
+
+    part = (xmlSchemaParticlePtr) particle->children->children;
+    if (part == NULL)
+        return (1);
+
+    while (part != NULL) {
+        if ((part->children->type == XML_SCHEMA_TYPE_ELEMENT) ||
+            (part->children->type == XML_SCHEMA_TYPE_ANY))
+            emptiable = (part->minOccurs == 0);
+        else
+            emptiable = xmlSchemaGetParticleEmptiable(part);
+        if (particle->children->type == XML_SCHEMA_TYPE_CHOICE) {
+            if (emptiable)
+                return (1);
+        } else {
+           /* <all> and <sequence> */
+            if (!emptiable)
+                return (0);
+        }
+        part = (xmlSchemaParticlePtr) part->next;
+    }
+
+    if (particle->children->type == XML_SCHEMA_TYPE_CHOICE)
+        return (0);
+    else
+        return (1);
+}
+
 /**
  * xmlSchemaIsParticleEmptiable:
  * @particle: the particle
@@ -14860,10 +14902,8 @@ xmlSchemaIsParticleEmptiable(xmlSchemaParticlePtr particle)
     * SPEC (2) "Its {term} is a group and the minimum part of the
     * effective total range of that group, [...] is 0."
     */
-    if (WXS_IS_MODEL_GROUP(particle->children)) {
-       if (xmlSchemaGetParticleTotalRangeMin(particle) == 0)
-           return (1);
-    }
+    if (WXS_IS_MODEL_GROUP(particle->children))
+       return (xmlSchemaGetParticleEmptiable(particle));
     return (0);
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]