Take into account that CHAR_MATCHES may read >1 bytes

commit: 687edcb52bd60130f4ab8ad3410821539ab398b4 [log] [tgz]
author: Sebastian Pipping <sebastian@pipping.org> Tue May 24 23:11:29 2016 +0200
committer: Sebastian Pipping <sebastian@pipping.org> Wed May 25 19:04:36 2016 +0200
tree: 51f86a5ea2f68038b5bf02fe40ec132e15076e76
parent: 30145890579e3e7fca548129260b2ac6a545d2ef [diff]
diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c
index c94bd9b..8cabbed 100644
--- a/expat/lib/xmltok_impl.c
+++ b/expat/lib/xmltok_impl.c

@@ -93,7 +93,7 @@
 PREFIX(scanComment)(const ENCODING *enc, const char *ptr,
                     const char *end, const char **nextTokPtr)
 {
-  if (ptr < end) {
+  if (end - ptr >= MINBPC(enc)) {
     if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) {
       *nextTokPtr = ptr;
       return XML_TOK_INVALID;
@@ -103,10 +103,12 @@
       switch (BYTE_TYPE(enc, ptr)) {
       INVALID_CASES(ptr, nextTokPtr)
       case BT_MINUS:
-        if ((ptr += MINBPC(enc)) == end)
+        ptr += MINBPC(enc);
+        if (end - ptr < MINBPC(enc))
           return XML_TOK_PARTIAL;
         if (CHAR_MATCHES(enc, ptr, ASCII_MINUS)) {
-          if ((ptr += MINBPC(enc)) == end)
+          ptr += MINBPC(enc);
+          if (end - ptr < MINBPC(enc))
             return XML_TOK_PARTIAL;
           if (!CHAR_MATCHES(enc, ptr, ASCII_GT)) {
             *nextTokPtr = ptr;
@@ -247,7 +249,7 @@
         INVALID_CASES(ptr, nextTokPtr)
         case BT_QUEST:
           ptr += MINBPC(enc);
-          if (ptr == end)
+          if (end - ptr < MINBPC(enc))
             return XML_TOK_PARTIAL;
           if (CHAR_MATCHES(enc, ptr, ASCII_GT)) {
             *nextTokPtr = ptr + MINBPC(enc);
@@ -266,7 +268,7 @@
         return XML_TOK_INVALID;
       }
       ptr += MINBPC(enc);
-      if (ptr == end)
+      if (end - ptr < MINBPC(enc))
         return XML_TOK_PARTIAL;
       if (CHAR_MATCHES(enc, ptr, ASCII_GT)) {
         *nextTokPtr = ptr + MINBPC(enc);
@@ -319,12 +321,12 @@
   switch (BYTE_TYPE(enc, ptr)) {
   case BT_RSQB:
     ptr += MINBPC(enc);
-    if (ptr == end)
+    if (end - ptr < MINBPC(enc))
       return XML_TOK_PARTIAL;
     if (!CHAR_MATCHES(enc, ptr, ASCII_RSQB))
       break;
     ptr += MINBPC(enc);
-    if (ptr == end)
+    if (end - ptr < MINBPC(enc))
       return XML_TOK_PARTIAL;
     if (!CHAR_MATCHES(enc, ptr, ASCII_GT)) {
       ptr -= MINBPC(enc);
@@ -655,7 +657,7 @@
           case BT_SOL:
           sol:
             ptr += MINBPC(enc);
-            if (ptr == end)
+            if (end - ptr < MINBPC(enc))
               return XML_TOK_PARTIAL;
             if (!CHAR_MATCHES(enc, ptr, ASCII_GT)) {
               *nextTokPtr = ptr;
@@ -766,7 +768,7 @@
     case BT_SOL:
     sol:
       ptr += MINBPC(enc);
-      if (ptr == end)
+      if (end - ptr < MINBPC(enc))
         return XML_TOK_PARTIAL;
       if (!CHAR_MATCHES(enc, ptr, ASCII_GT)) {
         *nextTokPtr = ptr;
@@ -815,12 +817,12 @@
     return XML_TOK_DATA_NEWLINE;
   case BT_RSQB:
     ptr += MINBPC(enc);
-    if (ptr == end)
+    if (end - ptr < MINBPC(enc))
       return XML_TOK_TRAILING_RSQB;
     if (!CHAR_MATCHES(enc, ptr, ASCII_RSQB))
       break;
     ptr += MINBPC(enc);
-    if (ptr == end)
+    if (end - ptr < MINBPC(enc))
       return XML_TOK_TRAILING_RSQB;
     if (!CHAR_MATCHES(enc, ptr, ASCII_GT)) {
       ptr -= MINBPC(enc);
@@ -846,12 +848,12 @@
     LEAD_CASE(2) LEAD_CASE(3) LEAD_CASE(4)
 #undef LEAD_CASE
     case BT_RSQB:
-      if (ptr + MINBPC(enc) != end) {
+      if (end - ptr >= 2*MINBPC(enc)) {
          if (!CHAR_MATCHES(enc, ptr + MINBPC(enc), ASCII_RSQB)) {
            ptr += MINBPC(enc);
            break;
          }
-         if (ptr + 2*MINBPC(enc) != end) {
+         if (end - ptr >= 3*MINBPC(enc)) {
            if (!CHAR_MATCHES(enc, ptr + 2*MINBPC(enc), ASCII_GT)) {
              ptr += MINBPC(enc);
              break;
@@ -1049,10 +1051,10 @@
     return XML_TOK_OPEN_BRACKET;
   case BT_RSQB:
     ptr += MINBPC(enc);
-    if (ptr == end)
+    if (end - ptr < MINBPC(enc))
       return -XML_TOK_CLOSE_BRACKET;
     if (CHAR_MATCHES(enc, ptr, ASCII_RSQB)) {
-      if (ptr + MINBPC(enc) == end)
+      if (end - ptr < 2*MINBPC(enc))
         return XML_TOK_PARTIAL;
       if (CHAR_MATCHES(enc, ptr + MINBPC(enc), ASCII_GT)) {
         *nextTokPtr = ptr + 2*MINBPC(enc);
@@ -1331,10 +1333,12 @@
     switch (BYTE_TYPE(enc, ptr)) {
     INVALID_CASES(ptr, nextTokPtr)
     case BT_LT:
-      if ((ptr += MINBPC(enc)) == end)
+      ptr += MINBPC(enc);
+      if (end - ptr < MINBPC(enc))
         return XML_TOK_PARTIAL;
       if (CHAR_MATCHES(enc, ptr, ASCII_EXCL)) {
-        if ((ptr += MINBPC(enc)) == end)
+        ptr += MINBPC(enc);
+        if (end - ptr < MINBPC(enc))
           return XML_TOK_PARTIAL;
         if (CHAR_MATCHES(enc, ptr, ASCII_LSQB)) {
           ++level;
@@ -1343,10 +1347,12 @@
       }
       break;
     case BT_RSQB:
-      if ((ptr += MINBPC(enc)) == end)
+      ptr += MINBPC(enc);
+      if (end - ptr < MINBPC(enc))
         return XML_TOK_PARTIAL;
       if (CHAR_MATCHES(enc, ptr, ASCII_RSQB)) {
-        if ((ptr += MINBPC(enc)) == end)
+        ptr += MINBPC(enc);
+        if (end - ptr < MINBPC(enc))
           return XML_TOK_PARTIAL;
         if (CHAR_MATCHES(enc, ptr, ASCII_GT)) {
           ptr += MINBPC(enc);
@@ -1688,7 +1694,7 @@
                          const char *end1, const char *ptr2)
 {
   for (; *ptr2; ptr1 += MINBPC(enc), ptr2++) {
-    if (ptr1 == end1)
+    if (end1 - ptr1 < MINBPC(enc))
       return 0;
     if (!CHAR_MATCHES(enc, ptr1, *ptr2))
       return 0;
commit	687edcb52bd60130f4ab8ad3410821539ab398b4	[log] [tgz]
author	Sebastian Pipping <sebastian@pipping.org>	Tue May 24 23:11:29 2016 +0200
committer	Sebastian Pipping <sebastian@pipping.org>	Wed May 25 19:04:36 2016 +0200
tree	51f86a5ea2f68038b5bf02fe40ec132e15076e76
parent	30145890579e3e7fca548129260b2ac6a545d2ef [diff]