1
Description: fix potential overflows in XML parsing.
2
Ubuntu: https://bugs.launchpad.net/bugs/308060
4
Index: libmsn-4.0~beta4/msn/xmlParser.cpp
5
===================================================================
6
--- libmsn-4.0~beta4.orig/msn/xmlParser.cpp 2009-03-27 16:18:12.000000000 -0700
7
+++ libmsn-4.0~beta4/msn/xmlParser.cpp 2009-03-27 16:22:57.000000000 -0700
9
int _tcsicmp(XMLCSTR c1, XMLCSTR c2) { return wcscasecmp(c1,c2); }
11
XMLSTR _tcsstr(XMLCSTR c1, XMLCSTR c2) { return (XMLSTR)wcsstr(c1,c2); }
12
- XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2) { return (XMLSTR)wcscpy(c1,c2); }
13
+ XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2, int n) {
17
+ XMLSTR result=(XMLSTR)wcsncpy(c1,c2,n);
21
FILE *_tfopen(XMLCSTR filename,XMLCSTR mode)
23
char *filenameAscii=myWideCharToMultiByte(filename);
25
int _tcsncmp(XMLCSTR c1, XMLCSTR c2, int l) { return strncmp(c1,c2,l);}
26
int _tcsicmp(XMLCSTR c1, XMLCSTR c2) { return strcasecmp(c1,c2); }
27
XMLSTR _tcsstr(XMLCSTR c1, XMLCSTR c2) { return (XMLSTR)strstr(c1,c2); }
28
- XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2) { return (XMLSTR)strcpy(c1,c2); }
29
+ XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2, int n) {
33
+ XMLSTR result=(XMLSTR)strncpy(c1,c2,n);
38
int _strnicmp(const char *c1,const char *c2, int l) { return strncasecmp(c1,c2,l);}
44
-XMLSTR toXMLStringUnSafe(XMLSTR dest,XMLCSTR source)
45
+XMLSTR toXMLStringUnSafe(XMLSTR dest,XMLCSTR source,int length)
49
XMLCharacterEntity *entity;
50
- while ((ch=*source))
51
+ while ((ch=*source) && length > 0)
56
- if (ch==entity->c) {_tcscpy(dest,entity->s); dest+=entity->l; source++; goto out_of_loop1; }
59
+ _tcscpy(dest,entity->s,length);
70
- *(dest++)=*(source++);
71
+ *(dest++)=*(source++);
74
- switch(XML_ByteTable[(unsigned char)ch])
76
- case 4: *(dest++)=*(source++);
77
- case 3: *(dest++)=*(source++);
78
- case 2: *(dest++)=*(source++);
79
- case 1: *(dest++)=*(source++);
80
+ switch(XML_ByteTable[(unsigned char)ch])
82
+ case 4: *(dest++)=*(source++); length--; if (!length) break;
83
+ case 3: *(dest++)=*(source++); length--; if (!length) break;
84
+ case 2: *(dest++)=*(source++); length--; if (!length) break;
85
+ case 1: *(dest++)=*(source++); length--; if (!length) break;
92
int l=lengthXMLString(source)+1;
93
if (l>buflen) { buflen=l; buf=(XMLSTR)realloc(buf,l*sizeof(XMLCHAR)); }
94
- return toXMLStringUnSafe(buf,source);
95
+ return toXMLStringUnSafe(buf,source,buflen);
101
// This recurses through all subnodes then adds contents of the nodes to the
103
-int XMLNode::CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int nFormat)
104
+int XMLNode::CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int length, int nFormat)
108
@@ -1735,7 +1760,7 @@
110
lpszMarker[nResult++]=_T('<');
111
if (pEntry->isDeclaration) lpszMarker[nResult++]=_T('?');
112
- _tcscpy(&lpszMarker[nResult], pEntry->lpszName);
113
+ _tcscpy(&lpszMarker[nResult], pEntry->lpszName, length-nResult);
115
lpszMarker[nResult++]=_T(' ');
117
@@ -1753,7 +1778,7 @@
118
cb = (int)LENSTR(pAttr->lpszName);
121
- if (lpszMarker) _tcscpy(&lpszMarker[nResult], pAttr->lpszName);
122
+ if (lpszMarker) _tcscpy(&lpszMarker[nResult], pAttr->lpszName, length-nResult);
125
if (pAttr->lpszValue)
126
@@ -1763,7 +1788,7 @@
128
lpszMarker[nResult]=_T('=');
129
lpszMarker[nResult+1]=_T('"');
130
- if (cb) toXMLStringUnSafe(&lpszMarker[nResult+2],pAttr->lpszValue);
131
+ if (cb) toXMLStringUnSafe(&lpszMarker[nResult+2],pAttr->lpszValue, length-(nResult+2));
132
lpszMarker[nResult+cb+2]=_T('"');
135
@@ -1827,13 +1852,13 @@
138
charmemset(&lpszMarker[nResult],INDENTCHAR,sizeof(XMLCHAR)*(nFormat + 1));
139
- toXMLStringUnSafe(&lpszMarker[nResult+nFormat+1],pChild);
140
+ toXMLStringUnSafe(&lpszMarker[nResult+nFormat+1],pChild, length - (nResult + nFormat + 1));
141
lpszMarker[nResult+nFormat+1+cb]=_T('\n');
143
nResult+=cb+nFormat+2;
146
- if (lpszMarker) toXMLStringUnSafe(&lpszMarker[nResult], pChild);
147
+ if (lpszMarker) toXMLStringUnSafe(&lpszMarker[nResult], pChild, length - nResult);
151
@@ -1853,13 +1878,13 @@
154
charmemset(&lpszMarker[nResult], INDENTCHAR, sizeof(XMLCHAR)*(nFormat + 1));
155
- _tcscpy(&lpszMarker[nResult+nFormat+1], pChild->lpszOpenTag);
156
+ _tcscpy(&lpszMarker[nResult+nFormat+1], pChild->lpszOpenTag, length - (nResult + nFormat + 1));
158
nResult+=cb+nFormat+1;
162
- if (lpszMarker)_tcscpy(&lpszMarker[nResult], pChild->lpszOpenTag);
163
+ if (lpszMarker)_tcscpy(&lpszMarker[nResult], pChild->lpszOpenTag, length - nResult);
167
@@ -1868,7 +1893,7 @@
168
cb = (int)LENSTR(pChild->lpszValue);
171
- if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszValue);
172
+ if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszValue, length - nResult);
176
@@ -1876,7 +1901,7 @@
177
cb = (int)LENSTR(pChild->lpszCloseTag);
180
- if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszCloseTag);
181
+ if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszCloseTag, length - nResult);
185
@@ -1892,7 +1917,7 @@
188
// Recursively add child nodes
189
- nResult += CreateXMLStringR(pEntry->pChild[j>>2].d, lpszMarker ? lpszMarker + nResult : 0, nChildFormat);
190
+ nResult += CreateXMLStringR(pEntry->pChild[j>>2].d, lpszMarker ? lpszMarker + nResult : 0, lpszMarker ? length - nResult : 0, nChildFormat);
194
@@ -1917,18 +1942,18 @@
198
- _tcscpy(&lpszMarker[nResult], _T("</"));
199
+ _tcscpy(&lpszMarker[nResult], _T("</"), length - nResult);
201
- _tcscpy(&lpszMarker[nResult], pEntry->lpszName);
202
+ _tcscpy(&lpszMarker[nResult], pEntry->lpszName, length - nResult);
203
nResult += cbElement;
207
- _tcscpy(&lpszMarker[nResult], _T(">"));
208
+ _tcscpy(&lpszMarker[nResult], _T(">"), length - nResult);
212
- _tcscpy(&lpszMarker[nResult], _T(">\n"));
213
+ _tcscpy(&lpszMarker[nResult], _T(">\n"), length - nResult);
217
@@ -1945,12 +1970,12 @@
221
- _tcscpy(&lpszMarker[nResult], _T("/>"));
222
+ _tcscpy(&lpszMarker[nResult], _T("/>"), length - nResult);
227
- _tcscpy(&lpszMarker[nResult], _T("/>\n"));
228
+ _tcscpy(&lpszMarker[nResult], _T("/>\n"), length - nResult);
232
@@ -1985,12 +2010,12 @@
233
// Recursively Calculate the size of the XML string
234
if (!dropWhiteSpace) nFormat=0;
235
nFormat = nFormat ? 0 : -1;
236
- cbStr = CreateXMLStringR(d, 0, nFormat);
237
+ cbStr = CreateXMLStringR(d, 0, 0, nFormat);
239
// Alllocate memory for the XML string + the NULL terminator and
240
// create the recursively XML string.
241
lpszResult=(XMLSTR)malloc((cbStr+1)*sizeof(XMLCHAR));
242
- CreateXMLStringR(d, lpszResult, nFormat);
243
+ CreateXMLStringR(d, lpszResult, cbStr+1, nFormat);
244
if (pnSize) *pnSize = cbStr;
247
Index: libmsn-4.0~beta4/msn/xmlParser.h
248
===================================================================
249
--- libmsn-4.0~beta4.orig/msn/xmlParser.h 2009-03-27 16:18:12.000000000 -0700
250
+++ libmsn-4.0~beta4/msn/xmlParser.h 2009-03-27 16:18:43.000000000 -0700
252
XMLCSTR addText_priv(int,XMLSTR,int);
253
XMLClear *addClear_priv(int,XMLSTR,XMLCSTR,XMLCSTR,int);
254
static inline int findPosition(XMLNodeData *d, int index, XMLElementType xtype);
255
- static int CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int nFormat);
256
+ static int CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int length, int nFormat);
257
static int removeOrderElement(XMLNodeData *d, XMLElementType t, int index);
258
static void exactMemory(XMLNodeData *d);
259
static int detachFromParent(XMLNodeData *d);