[html parser] Check for integer overflow when computing new buffer sizes.

author: Moonchild <moonchild@palemoon.org> 2021-02-24 09:57:24 +0000
committer: Moonchild <moonchild@palemoon.org> 2021-02-24 09:57:24 +0000
commit: 525961c26137ca8a6416b9b2cd6b390593881be1 (patch)
tree: cbfcdf28587f39f4e7622652d1fb664736cef68f /parser/html/java/htmlparser
parent: 77d26e8bcd4c9cd94ffbaf4a035342f0d50b3438 (diff)
download: UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar
UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar.gz
UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar.lz
UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar.xz
UXP-525961c26137ca8a6416b9b2cd6b390593881be1.zip
3 files changed, 22 insertions, 9 deletions
diff --git a/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/MetaScanner.java b/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/MetaScanner.java
index be7576ff0..29c5138a4 100644
--- a/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/MetaScanner.java
+++ b/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/MetaScanner.java
@@ -1,7 +1,7 @@
 /*
  * Copyright (c) 2007 Henri Sivonen
  * Copyright (c) 2008-2015 Mozilla Foundation
- * Copyright (c) 2018-2020 Moonchild Productions
+ * Copyright (c) 2018-2021 Moonchild Productions
  * Copyright (c) 2020 Binary Outcast
  *
  * Permission is hereby granted, free of charge, to any person obtaining a 
@@ -753,7 +753,7 @@ public abstract class MetaScanner {
         stateSave  = state;
     }
 
-    private void handleCharInAttributeValue(int c) {
+    private void handleCharInAttributeValue(int c) throws SAXException {
         if (metaState == A) {
             if (contentIndex == CONTENT.length || charsetIndex == CHARSET.length) {
                 addToBuffer(c);
@@ -778,9 +778,9 @@ public abstract class MetaScanner {
      * Adds a character to the accumulation buffer.
      * @param c the character to add
      */
-    private void addToBuffer(int c) {
+    private void addToBuffer(int c) throws SAXException {
         if (strBufLen == strBuf.length) {
-            char[] newBuf = new char[strBuf.length + (strBuf.length << 1)];
+            char[] newBuf = new char[Portability.checkedAdd(strBuf.length, (strBuf.length << 1))];
             System.arraycopy(strBuf, 0, newBuf, 0, strBuf.length);
             strBuf = newBuf;
         }
diff --git a/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Portability.java b/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Portability.java
index 8f941ce01..a83c3d519 100644
--- a/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Portability.java
+++ b/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Portability.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2008-2015 Mozilla Foundation
- * Copyright (c) 2018-2020 Moonchild Productions
+ * Copyright (c) 2018-2021 Moonchild Productions
  * Copyright (c) 2020 Binary Outcast
  *
  * Permission is hereby granted, free of charge, to any person obtaining a 
@@ -24,6 +24,8 @@
 
 package nu.validator.htmlparser.impl;
 
+import org.xml.sax.SAXException;
+
 import nu.validator.htmlparser.annotation.Literal;
 import nu.validator.htmlparser.annotation.Local;
 import nu.validator.htmlparser.annotation.NoLength;
@@ -31,6 +33,17 @@ import nu.validator.htmlparser.common.Interner;
 
 public final class Portability {
 
+    public static int checkedAdd(int a, int b) throws SAXException {
+        // This can't be translated code, because in C++ signed integer overflow is UB, so the below code would be wrong.
+        assert a >= 0;
+        assert b >= 0;
+        int sum = a + b;
+        if (sum < a || sum < b) {
+            throw new SAXException("Integer overflow");
+        }
+        return sum;
+    }
+
     // Allocating methods
 
     /**
diff --git a/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Tokenizer.java b/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Tokenizer.java
index 3d617fd01..028b7a7d1 100644
--- a/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Tokenizer.java
+++ b/parser/html/java/htmlparser/src/nu/validator/htmlparser/impl/Tokenizer.java
@@ -1,7 +1,7 @@
 /*
  * Copyright (c) 2005-2007 Henri Sivonen
  * Copyright (c) 2007-2015 Mozilla Foundation
- * Copyright (c) 2018-2020 Moonchild Productions
+ * Copyright (c) 2018-2021 Moonchild Productions
  * Copyright (c) 2020 Binary Outcast
  * Portions of comments Copyright 2004-2010 Apple Computer, Inc., Mozilla
  * Foundation, and Opera Software ASA.
@@ -1009,8 +1009,8 @@ public class Tokenizer implements Locator {
         // ]NOCPP]
     }
 
-    private void appendStrBuf(@NoLength char[] buffer, int offset, int length) {
-        int newLen = strBufLen + length;
+    private void appendStrBuf(@NoLength char[] buffer, int offset, int length) throws SAXException {
+        int newLen = Portability.checkedAdd(strBufLen, length);
         // CPPONLY: assert newLen <= strBuf.length: "Previous buffer length insufficient.";
         // CPPONLY: if (strBuf.length < newLen) {
         // CPPONLY:     if (!EnsureBufferSpace(length)) {
@@ -1024,7 +1024,7 @@ public class Tokenizer implements Locator {
     /**
      * Append the contents of the char reference buffer to the main one.
      */
-    @Inline private void appendCharRefBufToStrBuf() {
+    @Inline private void appendCharRefBufToStrBuf() throws SAXException {
         appendStrBuf(charRefBuf, 0, charRefBufLen);
         charRefBufLen = 0;
     }
author	Moonchild <moonchild@palemoon.org>	2021-02-24 09:57:24 +0000
committer	Moonchild <moonchild@palemoon.org>	2021-02-24 09:57:24 +0000
commit	525961c26137ca8a6416b9b2cd6b390593881be1 (patch)
tree	cbfcdf28587f39f4e7622652d1fb664736cef68f /parser/html/java/htmlparser
parent	77d26e8bcd4c9cd94ffbaf4a035342f0d50b3438 (diff)
download	UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar.gz UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar.lz UXP-525961c26137ca8a6416b9b2cd6b390593881be1.tar.xz UXP-525961c26137ca8a6416b9b2cd6b390593881be1.zip