Skip to content

Commit

Permalink
XERCESC-2241 - Integer overflows in DFAContentModel class
Browse files Browse the repository at this point in the history
  • Loading branch information
scantor committed Oct 10, 2022
1 parent de63649 commit 1296a40
Showing 1 changed file with 24 additions and 3 deletions.
27 changes: 24 additions & 3 deletions src/xercesc/validators/common/DFAContentModel.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
#include <xercesc/util/RefHashTableOf.hpp>
#include <xercesc/util/XMLInteger.hpp>
#include <math.h>
#include <limits>

XERCES_CPP_NAMESPACE_BEGIN

Expand Down Expand Up @@ -661,8 +662,15 @@ void DFAContentModel::buildDFA(ContentSpecNode* const curNode)
// in the fLeafCount member.
//
fLeafCount=countLeafNodes(curNode);
// Avoid integer overflow in below fLeafCount++ increment
if (fLeafCount > (std::numeric_limits<unsigned int>::max() - 1))
throw OutOfMemoryException();
fEOCPos = fLeafCount++;

// Avoid integer overflow in below memory allocation
if (fLeafCount > (std::numeric_limits<size_t>::max() / sizeof(CMLeaf*)))
throw OutOfMemoryException();

// We need to build an array of references to the non-epsilon
// leaf nodes. We will put them in the array according to their position values
//
Expand Down Expand Up @@ -1364,14 +1372,27 @@ unsigned int DFAContentModel::countLeafNodes(ContentSpecNode* const curNode)
if(nLoopCount!=0)
{
count += countLeafNodes(cursor);
for(unsigned int i=0;i<nLoopCount;i++)
count += countLeafNodes(rightNode);
const unsigned int countRight = countLeafNodes(rightNode);
// Avoid integer overflow in below multiplication
if (countRight > (std::numeric_limits<unsigned int>::max() / nLoopCount))
throw OutOfMemoryException();
const unsigned int countRightMulLoopCount = nLoopCount * countRight;
// Avoid integer overflow in below addition
if (count > (std::numeric_limits<unsigned int>::max() - countRightMulLoopCount))
throw OutOfMemoryException();
count += countRightMulLoopCount;
return count;
}
if(leftNode)
count+=countLeafNodes(leftNode);
if(rightNode)
count+=countLeafNodes(rightNode);
{
const unsigned int countRight = countLeafNodes(rightNode);
// Avoid integer overflow in below addition
if (count > (std::numeric_limits<unsigned int>::max() - countRight))
throw OutOfMemoryException();
count+=countRight;
}
}
return count;
}
Expand Down

0 comments on commit 1296a40

Please sign in to comment.