Skip Menu |

This queue is for tickets about the XML-LibXML CPAN distribution.

Report information
The Basics
Id: 96649
Status: new
Priority: 0/
Queue: XML-LibXML

People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 2.0116
Fixed in: (no value)



Subject: Possible infinite loop in PmmFastEncodeString() due to comparign signed with unsigned integer
PmmFastEncodeString() from perl-libxml-mm.c compares signed integer "i" with possible unsigned integer "len". (E.g. on my computer, the STRLEN is Size_t defined as size_t.). If int and STRLEN have the same width, then if the "len" argument has highest bit set, then the for-cycle will never terminate a the "i" can wrap into negative values. Moreover the wrap on signed integer is undefined in the C language. The negative value would also be used as an index into the "string" array: xmlChar* PmmFastEncodeString( int charset, const xmlChar *string, const xmlChar *encoding, STRLEN len ) { xmlCharEncodingHandlerPtr coder = NULL; xmlChar *retval = NULL; xmlBufferPtr in = NULL, out = NULL; int i; /* first check that the input is not ascii */ /* since we do not want to recode ascii as, say, UTF-16 */ if (len == 0) len=xmlStrlen(string); for (i=0; i<len; i++) { if(!string[i] || string[i] & 0x80) { break; } } if (i>=len) return xmlStrdup( string ); [...] } I recommend to change the "int i;" declaration to "unsigned int i;". It also should be great to check that the "len" value is not bigger than maximal value storable into the "i" variable. -- Petr