35 lines
1.0 KiB
Diff
35 lines
1.0 KiB
Diff
From bf2e96173d4f78f564015a925970077501586fbe Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Thu, 7 Nov 2019 12:54:01 +0100
|
|
Subject: [PATCH] Fix overflow handling in xmlBufBackToBuffer
|
|
|
|
Don't overwrite 'use' and 'size' members after clamping to INT_MAX.
|
|
|
|
Thanks to Ranier Vilela for pointing this out in merge request !56.
|
|
---
|
|
buf.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/buf.c b/buf.c
|
|
index d46da36..3b212fc 100644
|
|
--- a/buf.c
|
|
+++ b/buf.c
|
|
@@ -1233,10 +1233,12 @@ xmlBufBackToBuffer(xmlBufPtr buf) {
|
|
* Keep the buffer but provide a truncated size value.
|
|
*/
|
|
xmlBufOverflowError(buf, "Allocated size too big for xmlBuffer");
|
|
+ ret->use = (int) buf->use;
|
|
ret->size = INT_MAX;
|
|
+ } else {
|
|
+ ret->use = (int) buf->use;
|
|
+ ret->size = (int) buf->size;
|
|
}
|
|
- ret->use = (int) buf->use;
|
|
- ret->size = (int) buf->size;
|
|
ret->alloc = buf->alloc;
|
|
ret->content = buf->content;
|
|
ret->contentIO = buf->contentIO;
|
|
--
|
|
1.8.3.1
|
|
|