AIR
/
mxml
mirror of https://github.com/michaelrsweet/mxml.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mxmlWrite* used a recursive algorithm which could require large amounts of

Browse Source 
stack space depending on the file (Bug #549, CVE-2016-4571)
pull/193/head
Michael R Sweet 8 years ago
parent d8c0ba9007
commit 5f74dc2124
3 changed files with 198 additions and 182 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 6
      CHANGES
  2. 2
      doc/reference.html
  3. 130
      mxml-file.c

6
CHANGES
Unescape View File

@ -1,10 +1,12 @@
CHANGES - 2016-06-11 CHANGES - 2016-06-12
-------------------- --------------------
CHANGES IN Mini-XML 2.10 CHANGES IN Mini-XML 2.10
- mxmlDelete used a recursive algorithm which could require large - mxmlDelete used a recursive algorithm which could require large
amounts of stack space depending on the file (Bug #549) amounts of stack space depending on the file (Bug #549, CVE-2016-4570)
- mxmlWrite* used a recursive algorithm which could require large
amounts of stack space depending on the file (Bug #549, CVE-2016-4571)
CHANGES IN Mini-XML 2.9 CHANGES IN Mini-XML 2.9

2
doc/reference.html
Unescape View File

@ -3,7 +3,7 @@
<head> <head>
<title>Documentation </title> <title>Documentation </title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<meta name="creator" content="Mini-XML v2.9"> <meta name="creator" content="Mini-XML v2.10">
<style type="text/css"><!-- <style type="text/css"><!--
body, p, h1, h2, h3, h4 { body, p, h1, h2, h3, h4 {
font-family: "lucida grande", geneva, helvetica, arial, sans-serif; font-family: "lucida grande", geneva, helvetica, arial, sans-serif;

130
mxml-file.c
Unescape View File

@ -3,7 +3,7 @@
* *
* File loading code for Mini-XML, a small XML-like file parsing library. * File loading code for Mini-XML, a small XML-like file parsing library.
* *
* Copyright 2003-2014 by Michael R Sweet. * Copyright 2003-2016 by Michael R Sweet.
* *
* These coded instructions, statements, and computer programs are the * These coded instructions, statements, and computer programs are the
* property of Michael R Sweet and are protected by Federal copyright * property of Michael R Sweet and are protected by Federal copyright
@ -2710,26 +2710,34 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
_mxml_putc_cb_t putc_cb,/* I - Output callback */ _mxml_putc_cb_t putc_cb,/* I - Output callback */
_mxml_global_t *global)/* I - Global data */ _mxml_global_t *global)/* I - Global data */
{ {
mxml_node_t *current, /* Current node */
*next; /* Next node */
int i, /* Looping var */ int i, /* Looping var */
width; /* Width of attr + value */ width; /* Width of attr + value */
mxml_attr_t *attr; /* Current attribute */ mxml_attr_t *attr; /* Current attribute */
char s[255]; /* Temporary string */ char s[255]; /* Temporary string */
/*
* Loop through this node and all of its children...
*/
for (current = node; current; current = next)
{
/* /*
* Print the node value... * Print the node value...
*/ */
switch (node->type) switch (current->type)
{ {
case MXML_ELEMENT : case MXML_ELEMENT :
col = mxml_write_ws(node, p, cb, MXML_WS_BEFORE_OPEN, col, putc_cb); col = mxml_write_ws(current, p, cb, MXML_WS_BEFORE_OPEN, col, putc_cb);
if ((*putc_cb)('<', p) < 0) if ((*putc_cb)('<', p) < 0)
return (-1); return (-1);
if (node->value.element.name[0] == '?' || if (current->value.element.name[0] == '?' ||
!strncmp(node->value.element.name, "!--", 3) || !strncmp(current->value.element.name, "!--", 3) ||
!strncmp(node->value.element.name, "![CDATA[", 8)) !strncmp(current->value.element.name, "![CDATA[", 8))
{ {
/* /*
* Comments, CDATA, and processing instructions do not * Comments, CDATA, and processing instructions do not
@ -2738,17 +2746,16 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
const char *ptr; /* Pointer into name */ const char *ptr; /* Pointer into name */
for (ptr = current->value.element.name; *ptr; ptr ++)
for (ptr = node->value.element.name; *ptr; ptr ++)
if ((*putc_cb)(*ptr, p) < 0) if ((*putc_cb)(*ptr, p) < 0)
return (-1); return (-1);
} }
else if (mxml_write_name(node->value.element.name, p, putc_cb) < 0) else if (mxml_write_name(current->value.element.name, p, putc_cb) < 0)
return (-1); return (-1);
col += strlen(node->value.element.name) + 1; col += strlen(current->value.element.name) + 1;
for (i = node->value.element.num_attrs, attr = node->value.element.attrs; for (i = current->value.element.num_attrs, attr = current->value.element.attrs;
i > 0; i > 0;
i --, attr ++) i --, attr ++)
{ {
@ -2790,53 +2797,21 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
col += width; col += width;
} }
if (node->child) if (current->child)
{ {
/* /*
* Write children... * Write children...
*/ */
mxml_node_t *child; /* Current child */
if ((*putc_cb)('>', p) < 0) if ((*putc_cb)('>', p) < 0)
return (-1); return (-1);
else else
col ++; col ++;
col = mxml_write_ws(node, p, cb, MXML_WS_AFTER_OPEN, col, putc_cb); col = mxml_write_ws(current, p, cb, MXML_WS_AFTER_OPEN, col, putc_cb);
for (child = node->child; child; child = child->next)
{
if ((col = mxml_write_node(child, p, cb, col, putc_cb, global)) < 0)
return (-1);
}
/*
* The ? and ! elements are special-cases and have no end tags...
*/
if (node->value.element.name[0] != '!' &&
node->value.element.name[0] != '?')
{
col = mxml_write_ws(node, p, cb, MXML_WS_BEFORE_CLOSE, col, putc_cb);
if ((*putc_cb)('<', p) < 0)
return (-1);
if ((*putc_cb)('/', p) < 0)
return (-1);
if (mxml_write_string(node->value.element.name, p, putc_cb) < 0)
return (-1);
if ((*putc_cb)('>', p) < 0)
return (-1);
col += strlen(node->value.element.name) + 3;
col = mxml_write_ws(node, p, cb, MXML_WS_AFTER_CLOSE, col, putc_cb);
}
} }
else if (node->value.element.name[0] == '!' || else if (current->value.element.name[0] == '!' ||
node->value.element.name[0] == '?') current->value.element.name[0] == '?')
{ {
/* /*
* The ? and ! elements are special-cases... * The ? and ! elements are special-cases...
@ -2847,7 +2822,7 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
else else
col ++; col ++;
col = mxml_write_ws(node, p, cb, MXML_WS_AFTER_OPEN, col, putc_cb); col = mxml_write_ws(current, p, cb, MXML_WS_AFTER_OPEN, col, putc_cb);
} }
else else
{ {
@ -2860,12 +2835,12 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
col += 3; col += 3;
col = mxml_write_ws(node, p, cb, MXML_WS_AFTER_OPEN, col, putc_cb); col = mxml_write_ws(current, p, cb, MXML_WS_AFTER_OPEN, col, putc_cb);
} }
break; break;
case MXML_INTEGER : case MXML_INTEGER :
if (node->prev) if (current->prev)
{ {
if (global->wrap > 0 && col > global->wrap) if (global->wrap > 0 && col > global->wrap)
{ {
@ -2880,7 +2855,7 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
col ++; col ++;
} }
sprintf(s, "%d", node->value.integer); sprintf(s, "%d", current->value.integer);
if (mxml_write_string(s, p, putc_cb) < 0) if (mxml_write_string(s, p, putc_cb) < 0)
return (-1); return (-1);
@ -2888,14 +2863,14 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
break; break;
case MXML_OPAQUE : case MXML_OPAQUE :
if (mxml_write_string(node->value.opaque, p, putc_cb) < 0) if (mxml_write_string(current->value.opaque, p, putc_cb) < 0)
return (-1); return (-1);
col += strlen(node->value.opaque); col += strlen(current->value.opaque);
break; break;
case MXML_REAL : case MXML_REAL :
if (node->prev) if (current->prev)
{ {
if (global->wrap > 0 && col > global->wrap) if (global->wrap > 0 && col > global->wrap)
{ {
@ -2910,7 +2885,7 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
col ++; col ++;
} }
sprintf(s, "%f", node->value.real); sprintf(s, "%f", current->value.real);
if (mxml_write_string(s, p, putc_cb) < 0) if (mxml_write_string(s, p, putc_cb) < 0)
return (-1); return (-1);
@ -2918,7 +2893,7 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
break; break;
case MXML_TEXT : case MXML_TEXT :
if (node->value.text.whitespace && col > 0) if (current->value.text.whitespace && col > 0)
{ {
if (global->wrap > 0 && col > global->wrap) if (global->wrap > 0 && col > global->wrap)
{ {
@ -2933,10 +2908,10 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
col ++; col ++;
} }
if (mxml_write_string(node->value.text.string, p, putc_cb) < 0) if (mxml_write_string(current->value.text.string, p, putc_cb) < 0)
return (-1); return (-1);
col += strlen(node->value.text.string); col += strlen(current->value.text.string);
break; break;
case MXML_CUSTOM : case MXML_CUSTOM :
@ -2965,6 +2940,45 @@ mxml_write_node(mxml_node_t *node, /* I - Node to write */
return (-1); return (-1);
} }
/*
* Figure out the next node...
*/
if ((next = current->child) == NULL)
{
while ((next = current->next) == NULL)
{
if (current == node)
break;
/*
* The ? and ! elements are special-cases and have no end tags...
*/
current = current->parent;
if (current->value.element.name[0] != '!' &&
current->value.element.name[0] != '?')
{
col = mxml_write_ws(current, p, cb, MXML_WS_BEFORE_CLOSE, col, putc_cb);
if ((*putc_cb)('<', p) < 0)
return (-1);
if ((*putc_cb)('/', p) < 0)
return (-1);
if (mxml_write_string(current->value.element.name, p, putc_cb) < 0)
return (-1);
if ((*putc_cb)('>', p) < 0)
return (-1);
col += strlen(current->value.element.name) + 3;
col = mxml_write_ws(current, p, cb, MXML_WS_AFTER_CLOSE, col, putc_cb);
}
}
}
}
return (col); return (col);
} }

Write Preview
Loading…
Cancel
Save