| Subject: | Possible infinite loop in PmmFastEncodeString() due to comparign signed with unsigned integer |
PmmFastEncodeString() from perl-libxml-mm.c compares signed integer "i" with possible unsigned integer "len". (E.g. on my computer, the STRLEN is Size_t defined as size_t.).
If int and STRLEN have the same width, then if the "len" argument has highest bit set, then the for-cycle will never terminate a the "i" can wrap into negative values. Moreover the wrap on signed integer is undefined in the C language. The negative value would also be used as an index into the "string" array:
xmlChar*
PmmFastEncodeString( int charset,
const xmlChar *string,
const xmlChar *encoding,
STRLEN len )
{
xmlCharEncodingHandlerPtr coder = NULL;
xmlChar *retval = NULL;
xmlBufferPtr in = NULL, out = NULL;
int i;
/* first check that the input is not ascii */
/* since we do not want to recode ascii as, say, UTF-16 */
if (len == 0)
len=xmlStrlen(string);
for (i=0; i<len; i++) {
if(!string[i] || string[i] & 0x80) {
break;
}
}
if (i>=len) return xmlStrdup( string );
[...]
}
I recommend to change the "int i;" declaration to "unsigned int i;".
It also should be great to check that the "len" value is not bigger than maximal value storable into the "i" variable.
-- Petr