Prevent out-of-bounds access in text conversion

* big2_toUtf8 * little2_toUtf8 * utf8_toUtf8 * utf8_toUtf16
2025-04-07 06:04:59 +00:00 · 2016-05-01 23:40:05 +02:00 · 2016-05-01 23:40:05 +02:00 · e18829b4ff
commit e18829b4ff
parent 2cac066cf6
1 changed files with 8 additions and 2 deletions
--- a/expat/lib/xmltok.c
+++ b/expat/lib/xmltok.c
@ -342,7 +342,7 @@ utf8_toUtf8(const ENCODING *enc,
      if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
        break;
  }
-  for (to = *toP, from = *fromP; from < fromLim; from++, to++)
+  for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
    *to = *from;
  *fromP = from;
  *toP = to;
@ -358,10 +358,14 @@ utf8_toUtf16(const ENCODING *enc,
  while (from < fromLim && to < toLim) {
    switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
    case BT_LEAD2:
+      if (from + 2 > fromLim)
+        break;
      *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
      from += 2;
      break;
    case BT_LEAD3:
+      if (from + 3 > fromLim)
+        break;
      *to++ = (unsigned short)(((from[0] & 0xf) << 12)
                               | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
      from += 3;
@ -371,6 +375,8 @@ utf8_toUtf16(const ENCODING *enc,
        unsigned long n;
        if (to + 1 == toLim)
          goto after;
+        if (from + 4 > fromLim)
+          goto after;
        n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
            | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
        n -= 0x10000;
@ -590,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \
      *(*toP)++ = ((lo & 0x3f) | 0x80); \
      break; \
    case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
-      if (toLim -  *toP < 4) { \
+      if ((toLim - *toP < 4) || (from + 4 > fromLim)) { \
        *fromP = from; \
        return; \
      } \