c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

valid: Check reallocations for overflow

Browse Source
This commit is contained in:
Nick Wellnhofer 2024-12-15 22:44:39 +01:00
parent 8b2d9ac45b
commit 178b11219c
1 changed files with 26 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
valid.c
View File

@ -24,6 +24,7 @@
#include <libxml/xmlsave.h>
#include "private/error.h"
#include "private/memory.h"
#include "private/parser.h"
#include "private/regexp.h"
#include "private/save.h"
@ -204,27 +205,23 @@ typedef struct _xmlValidState {
static int
vstateVPush(xmlValidCtxtPtr ctxt, xmlElementPtr elemDecl, xmlNodePtr node) {
if ((ctxt->vstateMax == 0) || (ctxt->vstateTab == NULL)) {
ctxt->vstateMax = 10;
ctxt->vstateTab = (xmlValidState *) xmlMalloc(ctxt->vstateMax *
sizeof(ctxt->vstateTab[0]));
if (ctxt->vstateTab == NULL) {
if (ctxt->vstateNr >= ctxt->vstateMax) {
xmlValidState *tmp;
int newSize;
newSize = xmlGrowCapacity(ctxt->vstateMax, sizeof(tmp[0]),
10, XML_MAX_ITEMS);
if (newSize < 0) {
xmlVErrMemory(ctxt);
return(-1);
}
}
if (ctxt->vstateNr >= ctxt->vstateMax) {
xmlValidState *tmp;
tmp = (xmlValidState *) xmlRealloc(ctxt->vstateTab,
2 * ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
tmp = xmlRealloc(ctxt->vstateTab, newSize * sizeof(tmp[0]));
if (tmp == NULL) {
xmlVErrMemory(ctxt);
return(-1);
}
ctxt->vstateMax *= 2;
ctxt->vstateTab = tmp;
ctxt->vstateMax = newSize;
}
ctxt->vstate = &ctxt->vstateTab[ctxt->vstateNr];
ctxt->vstateTab[ctxt->vstateNr].elemDecl = elemDecl;
@ -312,29 +309,20 @@ vstateVPush(xmlValidCtxtPtr ctxt, xmlElementContentPtr cont,
unsigned char state) {
int i = ctxt->vstateNr - 1;
if (ctxt->vstateNr > MAX_RECURSE) {
return(-1);
}
if (ctxt->vstateTab == NULL) {
ctxt->vstateMax = 8;
ctxt->vstateTab = (xmlValidState *) xmlMalloc(
ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
if (ctxt->vstateTab == NULL) {
xmlVErrMemory(ctxt);
return(-1);
}
}
if (ctxt->vstateNr >= ctxt->vstateMax) {
xmlValidState *tmp;
int newSize;
tmp = (xmlValidState *) xmlRealloc(ctxt->vstateTab,
2 * ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
newSize = xmlGrowCapacity(ctxt->vstateMax, sizeof(tmp[0]),
8, MAX_RECURSE)
return(-1);
tmp = xmlRealloc(ctxt->vstateTab, newSize * sizeof(tmp[0]));
if (tmp == NULL) {
xmlVErrMemory(ctxt);
return(-1);
}
ctxt->vstateMax *= 2;
ctxt->vstateTab = tmp;
ctxt->vstateMax = newSize;
ctxt->vstate = &ctxt->vstateTab[0];
}
/*
@ -372,27 +360,23 @@ vstateVPop(xmlValidCtxtPtr ctxt) {
static int
nodeVPush(xmlValidCtxtPtr ctxt, xmlNodePtr value)
{
if (ctxt->nodeMax <= 0) {
ctxt->nodeMax = 4;
ctxt->nodeTab =
(xmlNodePtr *) xmlMalloc(ctxt->nodeMax *
sizeof(ctxt->nodeTab[0]));
if (ctxt->nodeTab == NULL) {
xmlVErrMemory(ctxt);
ctxt->nodeMax = 0;
return (0);
}
}
if (ctxt->nodeNr >= ctxt->nodeMax) {
xmlNodePtr *tmp;
tmp = (xmlNodePtr *) xmlRealloc(ctxt->nodeTab,
ctxt->nodeMax * 2 * sizeof(ctxt->nodeTab[0]));
int newSize;
newSize = xmlGrowCapacity(ctxt->nodeMax, sizeof(tmp[0]),
4, XML_MAX_ITEMS);
if (newSize < 0) {
xmlVErrMemory(ctxt);
return (0);
}
tmp = xmlRealloc(ctxt->nodeTab, newSize * sizeof(tmp[0]));
if (tmp == NULL) {
xmlVErrMemory(ctxt);
return (0);
}
ctxt->nodeMax *= 2;
ctxt->nodeTab = tmp;
ctxt->nodeMax = newSize;
}
ctxt->nodeTab[ctxt->nodeNr] = value;
ctxt->node = value;