Commit 6010a5369f55dab2b724045fc9b68cb14313da35
2022-01-28T16:27:12
Avoid potential integer overflow in xmlstring.c For historical reasons, the string API operates with int indices which can overflow, especially on 64-bit systems. libxml2 always made the tacit assumption that strings will be never larger than INT_MAX bytes. It should be considered a bug if any part of the code can produce larger strings, whether they are externally visible or not. Likewise, API users are expected not to supply strings larger than INT_MAX bytes. This requirement isn't documented. But even if it was, we must handle larger strings passed in by accident without causing memory errors. - xmlStrndup, xmlCharStrndup, xmlUTF8Strndup Avoid integer overflow if len == INT_MAX. - xmlStrlen, xmlUTF8Strsize, xmlUTF8Strloc Avoid integer overflow by using size_t for index. If an input string larger than INT_MAX bytes is detected, these functions now return 0 instead of a wrong and possibly negative value. - xmlCheckUTF8 Avoid integer overflow by limiting index range. - xmlStrncat, xmlStrncatNew, xmlEscapeFormatString Avoid integer overflow. Return NULL instead of producing strings larger than INT_MAX bytes.