[xml] parser.c bug and potential fix



First, thank you for your time and efforts in supporting libxml2!


While updating to the latest version I ran in to an issue in parser.c with the xmlGROW routine.

The issue is with the way it compiles and runs under windows:.


Line 2042

The current version uses:

    if ((((ctxt->input->end - ctxt->input->cur) > XML_MAX_LOOKUP_LIMIT) ||

         ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&

         ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&

        ((ctxt->options & XML_PARSE_HUGE) == 0)) {


However, the issue is that cur, end, and base don’t compare correctly under all conditions (large pointers) and this has caused crashes in poorly formulated(erroneous) xml.


I’ve modified this in our code to use:

    unsigned long curEnd = ctxt->input->end - ctxt->input->cur;

    unsigned long curBase = ctxt->input->cur - ctxt->input->base;

    if (((curEnd > (unsigned long)XML_MAX_LOOKUP_LIMIT) || (curBase > (unsigned long)XML_MAX_LOOKUP_LIMIT)) &&

         ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&

        ((ctxt->options & XML_PARSE_HUGE) == 0)) {


Which forces the system to do unsigned comparisons and eliminated the crash.


Thanks again for your efforts!


Best Regards,

Jon Longstreth

This message has been scanned for malware by Websense. www.websense.com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]