From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Mon, 19 Aug 2024 22:26:07 +0200 Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer Reported by TaiYou --- expat/lib/xmlparse.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: expat-2.5.0/lib/xmlparse.c =================================================================== --- expat-2.5.0.orig/lib/xmlparse.c +++ expat-2.5.0/lib/xmlparse.c @@ -1985,6 +1985,12 @@ XML_ParseBuffer(XML_Parser parser, int l if (parser == NULL) return XML_STATUS_ERROR; + + if (len < 0) { + parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; + return XML_STATUS_ERROR; + } + switch (parser->m_parsingStatus.parsing) { case XML_SUSPENDED: parser->m_errorCode = XML_ERROR_SUSPENDED; Index: expat-2.5.0/doc/reference.html =================================================================== --- expat-2.5.0.orig/doc/reference.html +++ expat-2.5.0/doc/reference.html @@ -1097,7 +1097,9 @@ containing part (or perhaps all) of the that are part of the document is indicated by len. This means that s doesn't have to be null terminated. It also means that if len is larger than the number of bytes in the block of -memory that s points at, then a memory fault is likely. The +memory that s points at, then a memory fault is likely. +Negative values for len are rejected since Expat 2.2.1. +The isFinal parameter informs the parser that this is the last piece of the document. Frequently, the last piece is empty (i.e. len is zero.) @@ -1113,11 +1115,17 @@ XML_ParseBuffer(XML_Parser p, int isFinal);
+

This is just like XML_Parse, except in this case Expat provides the buffer. By obtaining the buffer from Expat with the XML_GetBuffer function, the application can avoid double copying of the input. +

+ +

+Negative values for len are rejected since Expat 2.6.3. +

XML_GetBuffer