153aa9179Sopenharmony_ciFrom 4951c462eae68562df335ff6d611f4352ea9931d Mon Sep 17 00:00:00 2001
253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de>
353aa9179Sopenharmony_ciDate: Sun, 6 Mar 2022 02:29:00 +0100
453aa9179Sopenharmony_ciSubject: [PATCH] Avoid arithmetic on freed pointers
553aa9179Sopenharmony_ci
653aa9179Sopenharmony_ciConflict:NA
753aa9179Sopenharmony_ciReference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/4951c462eae68562df335ff6d611f4352ea9931d
853aa9179Sopenharmony_ci
953aa9179Sopenharmony_ci---
1053aa9179Sopenharmony_ci parserInternals.c | 45 +++++++++------------------------------------
1153aa9179Sopenharmony_ci 1 file changed, 9 insertions(+), 36 deletions(-)
1253aa9179Sopenharmony_ci
1353aa9179Sopenharmony_cidiff --git a/parserInternals.c b/parserInternals.c
1453aa9179Sopenharmony_ciindex c5c0b16..d68592f 100644
1553aa9179Sopenharmony_ci--- a/parserInternals.c
1653aa9179Sopenharmony_ci+++ b/parserInternals.c
1753aa9179Sopenharmony_ci@@ -300,7 +300,6 @@ int
1853aa9179Sopenharmony_ci xmlParserInputGrow(xmlParserInputPtr in, int len) {
1953aa9179Sopenharmony_ci     int ret;
2053aa9179Sopenharmony_ci     size_t indx;
2153aa9179Sopenharmony_ci-    const xmlChar *content;
2253aa9179Sopenharmony_ci 
2353aa9179Sopenharmony_ci     if ((in == NULL) || (len < 0)) return(-1);
2453aa9179Sopenharmony_ci #ifdef DEBUG_INPUT
2553aa9179Sopenharmony_ci@@ -325,22 +324,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) {
2653aa9179Sopenharmony_ci     } else
2753aa9179Sopenharmony_ci         return(0);
2853aa9179Sopenharmony_ci 
2953aa9179Sopenharmony_ci-    /*
3053aa9179Sopenharmony_ci-     * NOTE : in->base may be a "dangling" i.e. freed pointer in this
3153aa9179Sopenharmony_ci-     *        block, but we use it really as an integer to do some
3253aa9179Sopenharmony_ci-     *        pointer arithmetic. Insure will raise it as a bug but in
3353aa9179Sopenharmony_ci-     *        that specific case, that's not !
3453aa9179Sopenharmony_ci-     */
3553aa9179Sopenharmony_ci-
3653aa9179Sopenharmony_ci-    content = xmlBufContent(in->buf->buffer);
3753aa9179Sopenharmony_ci-    if (in->base != content) {
3853aa9179Sopenharmony_ci-        /*
3953aa9179Sopenharmony_ci-	 * the buffer has been reallocated
4053aa9179Sopenharmony_ci-	 */
4153aa9179Sopenharmony_ci-	indx = in->cur - in->base;
4253aa9179Sopenharmony_ci-	in->base = content;
4353aa9179Sopenharmony_ci-	in->cur = &content[indx];
4453aa9179Sopenharmony_ci-    }
4553aa9179Sopenharmony_ci+    in->base = xmlBufContent(in->buf->buffer);
4653aa9179Sopenharmony_ci+    in->cur = in->base + indx;
4753aa9179Sopenharmony_ci     in->end = xmlBufEnd(in->buf->buffer);
4853aa9179Sopenharmony_ci 
4953aa9179Sopenharmony_ci     CHECK_BUFFER(in);
5053aa9179Sopenharmony_ci@@ -358,8 +343,6 @@ void
5153aa9179Sopenharmony_ci xmlParserInputShrink(xmlParserInputPtr in) {
5253aa9179Sopenharmony_ci     size_t used;
5353aa9179Sopenharmony_ci     size_t ret;
5453aa9179Sopenharmony_ci-    size_t indx;
5553aa9179Sopenharmony_ci-    const xmlChar *content;
5653aa9179Sopenharmony_ci 
5753aa9179Sopenharmony_ci #ifdef DEBUG_INPUT
5853aa9179Sopenharmony_ci     xmlGenericError(xmlGenericErrorContext, "Shrink\n");
5953aa9179Sopenharmony_ci@@ -372,7 +355,7 @@ xmlParserInputShrink(xmlParserInputPtr in) {
6053aa9179Sopenharmony_ci 
6153aa9179Sopenharmony_ci     CHECK_BUFFER(in);
6253aa9179Sopenharmony_ci 
6353aa9179Sopenharmony_ci-    used = in->cur - xmlBufContent(in->buf->buffer);
6453aa9179Sopenharmony_ci+    used = in->cur - in->base;
6553aa9179Sopenharmony_ci     /*
6653aa9179Sopenharmony_ci      * Do not shrink on large buffers whose only a tiny fraction
6753aa9179Sopenharmony_ci      * was consumed
6853aa9179Sopenharmony_ci@@ -380,27 +363,17 @@ xmlParserInputShrink(xmlParserInputPtr in) {
6953aa9179Sopenharmony_ci     if (used > INPUT_CHUNK) {
7053aa9179Sopenharmony_ci 	ret = xmlBufShrink(in->buf->buffer, used - LINE_LEN);
7153aa9179Sopenharmony_ci 	if (ret > 0) {
7253aa9179Sopenharmony_ci-	    in->cur -= ret;
7353aa9179Sopenharmony_ci+            used -= ret;
7453aa9179Sopenharmony_ci 	    in->consumed += ret;
7553aa9179Sopenharmony_ci 	}
7653aa9179Sopenharmony_ci-	in->end = xmlBufEnd(in->buf->buffer);
7753aa9179Sopenharmony_ci     }
7853aa9179Sopenharmony_ci 
7953aa9179Sopenharmony_ci-    CHECK_BUFFER(in);
8053aa9179Sopenharmony_ci-
8153aa9179Sopenharmony_ci-    if (xmlBufUse(in->buf->buffer) > INPUT_CHUNK) {
8253aa9179Sopenharmony_ci-        return;
8353aa9179Sopenharmony_ci-    }
8453aa9179Sopenharmony_ci-    xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK);
8553aa9179Sopenharmony_ci-    content = xmlBufContent(in->buf->buffer);
8653aa9179Sopenharmony_ci-    if (in->base != content) {
8753aa9179Sopenharmony_ci-        /*
8853aa9179Sopenharmony_ci-	 * the buffer has been reallocated
8953aa9179Sopenharmony_ci-	 */
9053aa9179Sopenharmony_ci-	indx = in->cur - in->base;
9153aa9179Sopenharmony_ci-	in->base = content;
9253aa9179Sopenharmony_ci-	in->cur = &content[indx];
9353aa9179Sopenharmony_ci+    if (xmlBufUse(in->buf->buffer) <= INPUT_CHUNK) {
9453aa9179Sopenharmony_ci+        xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK);
9553aa9179Sopenharmony_ci     }
9653aa9179Sopenharmony_ci+
9753aa9179Sopenharmony_ci+    in->base = xmlBufContent(in->buf->buffer);
9853aa9179Sopenharmony_ci+    in->cur = in->base + used;
9953aa9179Sopenharmony_ci     in->end = xmlBufEnd(in->buf->buffer);
10053aa9179Sopenharmony_ci 
10153aa9179Sopenharmony_ci     CHECK_BUFFER(in);
10253aa9179Sopenharmony_ci-- 
10353aa9179Sopenharmony_ci2.27.0
10453aa9179Sopenharmony_ci
105