xml BUGFIX heap oob crash issues in lyxml_parse_value (#1129)
Fix an out of bounds write that appeared due to buf being increased in size
only once, even if len + offset + 4 were larger than size by a number
larger than BUFSIZE_STEP. Incrementally increase the buffer size, as long as it
is smaller than len + offset + 4.
Fix uninitialized variable u used to store a UTF-8 character in the same
function to stop valgrind complains about uninitialized reads.
diff --git a/src/xml.c b/src/xml.c
index 02f7f4b..67819ee 100644
--- a/src/xml.c
+++ b/src/xml.c
@@ -383,6 +383,8 @@
dst[3] = 0x80 | (value & 0x3f);
(*bytes_written) = 4;
+ } else {
+ return LY_EINVAL;
}
return LY_SUCCESS;
}
@@ -437,7 +439,7 @@
/* allocate enough for the offset and next character,
* we will need 4 bytes at most since we support only the predefined
* (one-char) entities and character references */
- if (len + offset + 4 >= size) {
+ while (len + offset + 4 >= size) {
buf = ly_realloc(buf, size + BUFSIZE_STEP);
LY_CHECK_ERR_RET(!buf, LOGMEM(ctx), LY_EMEM);
size += BUFSIZE_STEP;