xml BUGFIX heap oob crash issues in lyxml_parse_value (#1129) Fix an out of bounds write that appeared due to buf being increased in size only once, even if len + offset + 4 were larger than size by a number larger than BUFSIZE_STEP. Incrementally increase the buffer size, as long as it is smaller than len + offset + 4. Fix uninitialized variable u used to store a UTF-8 character in the same function to stop valgrind complains about uninitialized reads.

commit: cb017cc68fdceead1f03cd5789a19645d384b5b5 [log] [tgz]
author: Juraj Vijtiuk <30860583+jvijtiuk@users.noreply.github.com> Wed Jul 08 16:19:58 2020 +0200
committer: GitHub <noreply@github.com> Wed Jul 08 16:19:58 2020 +0200
tree: d21cd87061b80c50979bdb306d61979b3dedb397
parent: d59035b1a04113d5bb58a9ec20ea8fb27bd46272 [diff] [blame]
diff --git a/src/xml.c b/src/xml.c
index 02f7f4b..67819ee 100644
--- a/src/xml.c
+++ b/src/xml.c

@@ -383,6 +383,8 @@
         dst[3] = 0x80 | (value & 0x3f);
 
         (*bytes_written) = 4;
+    } else {
+	    return LY_EINVAL;
     }
     return LY_SUCCESS;
 }
@@ -437,7 +439,7 @@
             /* allocate enough for the offset and next character,
              * we will need 4 bytes at most since we support only the predefined
              * (one-char) entities and character references */
-            if (len + offset + 4 >= size) {
+            while (len + offset + 4 >= size) {
                 buf = ly_realloc(buf, size + BUFSIZE_STEP);
                 LY_CHECK_ERR_RET(!buf, LOGMEM(ctx), LY_EMEM);
                 size += BUFSIZE_STEP;
commit	cb017cc68fdceead1f03cd5789a19645d384b5b5	[log] [tgz]
author	Juraj Vijtiuk <30860583+jvijtiuk@users.noreply.github.com>	Wed Jul 08 16:19:58 2020 +0200
committer	GitHub <noreply@github.com>	Wed Jul 08 16:19:58 2020 +0200
tree	d21cd87061b80c50979bdb306d61979b3dedb397
parent	d59035b1a04113d5bb58a9ec20ea8fb27bd46272 [diff] [blame]