From 82d69d8ba92243242171e6be30c4d18543fe2c0b Mon Sep 17 00:00:00 2001 From: Paul Gofman Date: Thu, 15 Apr 2021 12:50:10 +0300 Subject: [PATCH] xmllite: Avoid out of bounds access in readerinput_get_utf8_convlen(). And consequently in readerinput_shrinkraw(). Signed-off-by: Paul Gofman Signed-off-by: Nikolay Sivov Signed-off-by: Alexandre Julliard --- dlls/xmllite/reader.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/dlls/xmllite/reader.c b/dlls/xmllite/reader.c index 13d841eb94d..a5a75c29887 100644 --- a/dlls/xmllite/reader.c +++ b/dlls/xmllite/reader.c @@ -844,6 +844,8 @@ static HRESULT readerinput_growraw(xmlreaderinput *readerinput) readerinput->pending = hr == E_PENDING; if (FAILED(hr)) return hr; buffer->written += read; + if (!buffer->written) + return MX_E_INPUTEND; return hr; } @@ -929,6 +931,8 @@ static int readerinput_get_utf8_convlen(xmlreaderinput *readerinput) encoded_buffer *buffer = &readerinput->buffer->encoded; int len = buffer->written; + assert(len); + /* complete single byte char */ if (!(buffer->data[len-1] & 0x80)) return len; @@ -966,6 +970,7 @@ static void readerinput_shrinkraw(xmlreaderinput *readerinput, int len) if (len == -1) len = readerinput_get_convlen(readerinput); + assert(len >= 0); memmove(buffer->data, buffer->data + buffer->cur + (buffer->written - len), len); /* everything below cur is lost too */ buffer->written -= len + buffer->cur; @@ -1068,7 +1073,9 @@ static HRESULT reader_more(xmlreader *reader) WCHAR *ptr; /* get some raw data from stream first */ - hr = readerinput_growraw(readerinput); + if (FAILED(hr = readerinput_growraw(readerinput))) + return hr; + len = readerinput_get_convlen(readerinput); prev_len = dest->written / sizeof(WCHAR);