xmllite: Avoid out of bounds access in readerinput_get_utf8_convlen().

And consequently in readerinput_shrinkraw(). Signed-off-by: Paul Gofman <pgofman@codeweavers.com> Signed-off-by: Nikolay Sivov <nsivov@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

xmllite: Avoid out of bounds access in readerinput_get_utf8_convlen().
82d69d8b · Paul Gofman · Alexandre Julliard · a0b77d71 · 82d69d8b
Commit 82d69d8b authored Apr 15, 2021 by Paul Gofman Committed by Alexandre Julliard Apr 15, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

reader.c dlls/xmllite/reader.c +8 -1

No files found.
--- a/dlls/xmllite/reader.c
+++ b/dlls/xmllite/reader.c
@@ -844,6 +844,8 @@ static HRESULT readerinput_growraw(xmlreaderinput *readerinput)
    readerinput->pending = hr == E_PENDING;
    if (FAILED(hr)) return hr;
    buffer->written += read;
+    if (!buffer->written)
+        return MX_E_INPUTEND;

    return hr;
 }
@@ -929,6 +931,8 @@ static int readerinput_get_utf8_convlen(xmlreaderinput *readerinput)
    encoded_buffer *buffer = &readerinput->buffer->encoded;
    int len = buffer->written;

+    assert(len);
+
    /* complete single byte char */
    if (!(buffer->data[len-1] & 0x80)) return len;

@@ -966,6 +970,7 @@ static void readerinput_shrinkraw(xmlreaderinput *readerinput, int len)
    if (len == -1)
        len = readerinput_get_convlen(readerinput);

+    assert(len >= 0);
    memmove(buffer->data, buffer->data + buffer->cur + (buffer->written - len), len);
    /* everything below cur is lost too */
    buffer->written -= len + buffer->cur;
@@ -1068,7 +1073,9 @@ static HRESULT reader_more(xmlreader *reader)
    WCHAR *ptr;

    /* get some raw data from stream first */
-    hr = readerinput_growraw(readerinput);
+    if (FAILED(hr = readerinput_growraw(readerinput)))
+        return hr;
+
    len = readerinput_get_convlen(readerinput);
    prev_len = dest->written / sizeof(WCHAR);