From bab9b6d59cef84e57259e98b4b61cbc143c7d357 Mon Sep 17 00:00:00 2001 From: Dmitry-Me Date: Sat, 14 Mar 2015 16:41:46 +0300 Subject: [PATCH] More asserts in numbers parsing --- tinyxml2.cpp | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/tinyxml2.cpp b/tinyxml2.cpp index ef00f13..32ad143 100755 --- a/tinyxml2.cpp +++ b/tinyxml2.cpp @@ -374,18 +374,23 @@ const char* XMLUtil::GetCharacterRef( const char* p, char* value, int* length ) --q; while ( *q != 'x' ) { + unsigned int digit; if ( *q >= '0' && *q <= '9' ) { - ucs += mult * (*q - '0'); + digit = *q - '0'; } else if ( *q >= 'a' && *q <= 'f' ) { - ucs += mult * (*q - 'a' + 10); + digit = *q - 'a' + 10; } else if ( *q >= 'A' && *q <= 'F' ) { - ucs += mult * (*q - 'A' + 10 ); + digit = *q - 'A' + 10; } else { return 0; } + TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); + const unsigned int digitScaled = mult * digit; + TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); + ucs += digitScaled; TIXMLASSERT( mult <= UINT_MAX / 16 ); mult *= 16; --q; @@ -410,7 +415,11 @@ const char* XMLUtil::GetCharacterRef( const char* p, char* value, int* length ) while ( *q != '#' ) { if ( *q >= '0' && *q <= '9' ) { - ucs += mult * (*q - '0'); + const unsigned int digit = *q - '0'; + TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit ); + const unsigned int digitScaled = mult * digit; + TIXMLASSERT( ucs <= ULONG_MAX - digitScaled ); + ucs += digitScaled; } else { return 0;