io: Fix a few integer overflows in I/O statistics

There are still many places where arithmetic on "consumed" stats isn't checked for overflow, affecting platforms with a 32-bit long type.
2025-03-28 21:33:13 +00:00 · 2022-11-13 20:19:13 +01:00 · 2022-11-13 20:19:13 +01:00 · 249cee4b2a
commit 249cee4b2a
parent 6b57061909
2 changed files with 26 additions and 8 deletions
--- a/parserInternals.c
+++ b/parserInternals.c
@ -354,7 +354,11 @@ xmlParserInputShrink(xmlParserInputPtr in) {
 	ret = xmlBufShrink(in->buf->buffer, used - LINE_LEN);
 	if (ret > 0) {
            used -= ret;
-	    in->consumed += ret;
+            if ((ret > ULONG_MAX) ||
+                (in->consumed > ULONG_MAX - (unsigned long)ret))
+                in->consumed = ULONG_MAX;
+            else
+                in->consumed += ret;
 	}
    }

@ -1070,8 +1074,7 @@ xmlSwitchInputEncodingInt(xmlParserCtxtPtr ctxt, xmlParserInputPtr input,
     * Is there already some content down the pipe to convert ?
     */
    if (xmlBufIsEmpty(in->buffer) == 0) {
-        int processed;
-        unsigned int use;
+        size_t processed, use, consumed;

        /*
         * Specific handling of the Byte Order Mark for
@ -1132,7 +1135,12 @@ xmlSwitchInputEncodingInt(xmlParserCtxtPtr ctxt, xmlParserInputPtr input,
                           NULL);
            return (-1);
        }
-        in->rawconsumed += use - xmlBufUse(in->raw);
+        consumed = use - xmlBufUse(in->raw);
+        if ((consumed > ULONG_MAX) ||
+            (in->rawconsumed > ULONG_MAX - (unsigned long)consumed))
+            in->rawconsumed = ULONG_MAX;
+        else
+	    in->rawconsumed += consumed;
    }
    return (0);
 }
--- a/xmlIO.c
+++ b/xmlIO.c
@ -3141,7 +3141,7 @@ xmlParserInputBufferPush(xmlParserInputBufferPtr in,
    if (len < 0) return(0);
    if ((in == NULL) || (in->error)) return(-1);
    if (in->encoder != NULL) {
-        unsigned int use;
+        size_t use, consumed;

        /*
 	 * Store the data in the incoming raw buffer
@ -3163,7 +3163,12 @@ xmlParserInputBufferPush(xmlParserInputBufferPtr in,
 	    in->error = XML_IO_ENCODER;
 	    return(-1);
 	}
-	in->rawconsumed += (use - xmlBufUse(in->raw));
+        consumed = use - xmlBufUse(in->raw);
+        if ((consumed > ULONG_MAX) ||
+            (in->rawconsumed > ULONG_MAX - (unsigned long)consumed))
+            in->rawconsumed = ULONG_MAX;
+        else
+	    in->rawconsumed += consumed;
    } else {
 	nbchars = len;
        ret = xmlBufAdd(in->buffer, (xmlChar *) buf, nbchars);
@ -3256,7 +3261,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) {
    }

    if (in->encoder != NULL) {
-        unsigned int use;
+        size_t use, consumed;

 	/*
 	 * convert as much as possible to the parser reading buffer.
@ -3268,7 +3273,12 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) {
 	    in->error = XML_IO_ENCODER;
 	    return(-1);
 	}
-	in->rawconsumed += (use - xmlBufUse(buf));
+        consumed = use - xmlBufUse(buf);
+        if ((consumed > ULONG_MAX) ||
+            (in->rawconsumed > ULONG_MAX - (unsigned long)consumed))
+            in->rawconsumed = ULONG_MAX;
+        else
+	    in->rawconsumed += consumed;
    }
 #ifdef DEBUG_INPUT
    xmlGenericError(xmlGenericErrorContext,