From 721a898225fde33d7303af907bc647d4e84d0db2 Mon Sep 17 00:00:00 2001 From: roytam1 Date: Tue, 8 Mar 2022 09:59:20 +0800 Subject: [PATCH] imported changes from mozilla: - Bug 1754724 - Clear up some computations in expat code. r=farre, a=tritter (c084e1e9) - Bug 1754724 - Clear up some more computations in expat code. r=farre, a=tritter (1ff49f5a) - Bug 1754724 - Clear up even more computations in expat code. r=farre, a=tritter (4a180bbf) - Bug 1758062 - Convert parameters upfront. r=smaug, a=tritter (153b3922) --- dom/xslt/xslt/txMozillaXSLTProcessor.cpp | 30 ++-- parser/expat/lib/xmlparse.c | 189 ++++++++++++++++++++++- 2 files changed, 200 insertions(+), 19 deletions(-) diff --git a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp index 69a91213e1..d159179f96 100644 --- a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp +++ b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp @@ -236,9 +236,10 @@ txToFragmentHandlerFactory::createHandlerWith(txOutputFormat* aFormat, class txVariable : public txIGlobalParameter { public: - explicit txVariable(nsIVariant* aValue) : mValue(aValue) + explicit txVariable(nsIVariant* aValue, txAExprResult* aTxValue) + : mValue(aValue), mTxValue(aTxValue) { - NS_ASSERTION(aValue, "missing value"); + NS_ASSERTION(aValue && aTxValue, "missing value"); } explicit txVariable(txAExprResult* aValue) : mTxValue(aValue) { @@ -246,12 +247,7 @@ public: } nsresult getValue(txAExprResult** aValue) { - NS_ASSERTION(mValue || mTxValue, "variablevalue is null"); - - if (!mTxValue) { - nsresult rv = Convert(mValue, getter_AddRefs(mTxValue)); - NS_ENSURE_SUCCESS(rv, rv); - } + NS_ASSERTION(mTxValue, "variablevalue is null"); *aValue = mTxValue; NS_ADDREF(*aValue); @@ -268,11 +264,11 @@ public: { return mValue; } - void setValue(nsIVariant* aValue) + void setValue(nsIVariant* aValue, txAExprResult* aTxValue) { - NS_ASSERTION(aValue, "setting variablevalue to null"); + NS_ASSERTION(aValue && aTxValue, "setting variablevalue to null"); mValue = aValue; - mTxValue = nullptr; + mTxValue = aTxValue; } void setValue(txAExprResult* aValue) { @@ -281,14 +277,14 @@ public: mTxValue = aValue; } + static nsresult Convert(nsIVariant *aValue, txAExprResult** aResult); + friend void ImplCycleCollectionUnlink(txVariable& aVariable); friend void ImplCycleCollectionTraverse( nsCycleCollectionTraversalCallback& aCallback, txVariable& aVariable, const char* aName, uint32_t aFlags); private: - static nsresult Convert(nsIVariant *aValue, txAExprResult** aResult); - nsCOMPtr mValue; nsRefPtr mTxValue; }; @@ -944,13 +940,17 @@ txMozillaXSLTProcessor::SetParameter(const nsAString & aNamespaceURI, nsCOMPtr localName = do_GetAtom(aLocalName); txExpandedName varName(nsId, localName); + nsRefPtr txValue; + rv = txVariable::Convert(value, getter_AddRefs(txValue)); + NS_ENSURE_SUCCESS(rv, rv); + txVariable* var = static_cast(mVariables.get(varName)); if (var) { - var->setValue(value); + var->setValue(value, txValue); return NS_OK; } - var = new txVariable(value); + var = new txVariable(value, txValue); NS_ENSURE_TRUE(var, NS_ERROR_OUT_OF_MEMORY); return mVariables.add(varName, var); diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c index e1f15ee85e..11ef3cfeb2 100644 --- a/parser/expat/lib/xmlparse.c +++ b/parser/expat/lib/xmlparse.c @@ -2745,10 +2745,35 @@ storeAtts(XML_Parser parser, const ENCODING *enc, /* get the attributes from the tokenizer */ n = XmlGetAttributes(enc, attStr, attsSize, atts); + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - nDefaultAtts) { + return XML_ERROR_NO_MEMORY; + } + if (n + nDefaultAtts > attsSize) { int oldAttsSize = attsSize; ATTRIBUTE *temp; + + /* Detect and prevent integer overflow */ + if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) + || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { + return XML_ERROR_NO_MEMORY; + } + attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { + parser->m_attsSize = oldAttsSize; + return XML_ERROR_NO_MEMORY; + } +#endif + temp = (ATTRIBUTE *)REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE)); if (temp == NULL) return XML_ERROR_NO_MEMORY; @@ -2894,10 +2919,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, /* END MOZILLA CHANGE */ int j; /* hash table index */ unsigned long version = nsAttsVersion; - int nsAttsSize = (int)1 << nsAttsPower; + + /* Detect and prevent invalid shift */ + if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) { + return XML_ERROR_NO_MEMORY; + } + + unsigned int nsAttsSize = 1u << nsAttsPower; /* BEGIN MOZILLA CHANGE (Include xmlns attributes in attributes array) */ if (nPrefixes) { /* END MOZILLA CHANGE */ + unsigned char oldNsAttsPower = parser->m_nsAttsPower; /* size of hash table must be at least 2 * (# of prefixed attributes) */ if ((nPrefixes << 1) >> nsAttsPower) { /* true for nsAttsPower = 0 */ NS_ATT *temp; @@ -2905,7 +2937,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, while (nPrefixes >> nsAttsPower++); if (nsAttsPower < 3) nsAttsPower = 3; - nsAttsSize = (int)1 << nsAttsPower; + + /* Detect and prevent invalid shift */ + if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) { + /* Restore actual size of memory in m_nsAtts */ + parser->m_nsAttsPower = oldNsAttsPower; + return XML_ERROR_NO_MEMORY; + } + + nsAttsSize = 1u << parser->m_nsAttsPower; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) { + /* Restore actual size of memory in m_nsAtts */ + parser->m_nsAttsPower = oldNsAttsPower; + return XML_ERROR_NO_MEMORY; + } +#endif + temp = (NS_ATT *)REALLOC(nsAtts, nsAttsSize * sizeof(NS_ATT)); if (!temp) return XML_ERROR_NO_MEMORY; @@ -3091,9 +3144,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, tagNamePtr->prefixLen = prefixLen; for (i = 0; localPart[i++];) ; /* i includes null terminator */ + + /* Detect and prevent integer overflow */ + if (binding->uriLen > INT_MAX - prefixLen + || i > INT_MAX - (binding->uriLen + prefixLen)) { + return XML_ERROR_NO_MEMORY; + } + n = i + binding->uriLen + prefixLen; if (n > binding->uriAlloc) { TAG *p; + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + uri = (XML_Char *)MALLOC((n + EXPAND_SPARE) * sizeof(XML_Char)); if (!uri) return XML_ERROR_NO_MEMORY; @@ -3190,6 +3265,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, if (freeBindingList) { b = freeBindingList; if (len > b->uriAlloc) { + /* Detect and prevent integer overflow */ + if (len > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + XML_Char *temp = (XML_Char *)REALLOC(b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); if (temp == NULL) @@ -3203,6 +3293,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, b = (BINDING *)MALLOC(sizeof(BINDING)); if (!b) return XML_ERROR_NO_MEMORY; + + /* Detect and prevent integer overflow */ + if (len > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + b->uri = (XML_Char *)MALLOC(sizeof(XML_Char) * (len + EXPAND_SPARE)); if (!b->uri) { FREE(b); @@ -4478,11 +4583,26 @@ doProlog(XML_Parser parser, case XML_ROLE_GROUP_OPEN: if (prologState.level >= groupSize) { if (groupSize) { + /* Detect and prevent integer overflow */ + if (parser->m_groupSize > (unsigned int)(-1) / 2u) { + return XML_ERROR_NO_MEMORY; + } + char *temp = (char *)REALLOC(groupConnector, groupSize *= 2); if (temp == NULL) return XML_ERROR_NO_MEMORY; groupConnector = temp; if (dtd->scaffIndex) { + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { + return XML_ERROR_NO_MEMORY; + } +#endif + int *temp = (int *)REALLOC(dtd->scaffIndex, groupSize * sizeof(int)); if (temp == NULL) @@ -5467,7 +5587,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, } else { DEFAULT_ATTRIBUTE *temp; + + /* Detect and prevent integer overflow */ + if (type->allocDefaultAtts > INT_MAX / 2) { + return 0; + } + int count = type->allocDefaultAtts * 2; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) { + return 0; + } +#endif + temp = (DEFAULT_ATTRIBUTE *) REALLOC(type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE))); if (temp == NULL) @@ -6091,8 +6228,20 @@ lookup(HASH_TABLE *table, KEY name, size_t createSize) /* check for overflow (table is half full) */ if (table->used >> (table->power - 1)) { unsigned char newPower = table->power + 1; + + /* Detect and prevent invalid shift */ + if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) { + return NULL; + } + size_t newSize = (size_t)1 << newPower; unsigned long newMask = (unsigned long)newSize - 1; + + /* Detect and prevent integer overflow */ + if (newSize > (size_t)(-1) / sizeof(NAMED *)) { + return NULL; + } + size_t tsize = newSize * sizeof(NAMED *); NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); if (!newV) @@ -6379,6 +6528,20 @@ nextScaffoldPart(XML_Parser parser) if (dtd->scaffCount >= dtd->scaffSize) { CONTENT_SCAFFOLD *temp; if (dtd->scaffold) { + /* Detect and prevent integer overflow */ + if (dtd->scaffSize > UINT_MAX / 2u) { + return -1; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) { + return -1; + } +#endif + temp = (CONTENT_SCAFFOLD *) REALLOC(dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); if (temp == NULL) @@ -6455,8 +6618,26 @@ build_model (XML_Parser parser) XML_Content *ret; XML_Content *cpos; XML_Char * str; - int allocsize = (dtd->scaffCount * sizeof(XML_Content) - + (dtd->contentStringLen * sizeof(XML_Char))); + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) { + return NULL; + } + if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) { + return NULL; + } +#endif + if (dtd->scaffCount * sizeof(XML_Content) + > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) { + return NULL; + } + + const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) + + (dtd->contentStringLen * sizeof(XML_Char))); ret = (XML_Content *)MALLOC(allocsize); if (!ret)