Skip to content

Commit

Permalink
[XERCESC-2241] Fix integer overflows in DFAContentModel class
Browse files Browse the repository at this point in the history
On .xsd files like the following ones (generated by ossfuzz, so broken),
integer overflows can happen in DFAContentModel::countLeafNodes() and
DFAContentModel::buildDFA() which can later cause out-of-bounds access.

Found in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025

```
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
           xmlns:myns="http://myns"
           targetNamespace="http://myns"
           elementFormDefault="qualified" attributeFormDefault="unqualified">

<xs:element name="main_elt">
  <xs:complexType>
     <xs:sequence>
        <xs:group ref="myns:mygroup" minOccurs="32767" maxOccurs="1"/>
      </xs:sequence>
  </xs:complexType>
</xs:element>

<xs:group name="mygroup">
  <xs:sequence>
      <!-- related to https://issues.apache.org/jira/browse/XERCESC-1051 -->
      <xs:element name="elt" maxOccurs="33333">
        <xs:complexType>
            <xs:sequence>
 ame="x" type="xs:int" maxOccurs="1"/>
            </xs:sequence>
        </xs:complexType>
      </xs:element>
  </xs:sequence>
</xs:group>

</xs:schema>
```
  • Loading branch information
rouault committed Oct 3, 2022
1 parent 045bdf8 commit d767b91
Showing 1 changed file with 24 additions and 3 deletions.
27 changes: 24 additions & 3 deletions src/xercesc/validators/common/DFAContentModel.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
#include <xercesc/util/RefHashTableOf.hpp>
#include <xercesc/util/XMLInteger.hpp>
#include <math.h>
#include <limits>

namespace XERCES_CPP_NAMESPACE {

Expand Down Expand Up @@ -661,8 +662,15 @@ void DFAContentModel::buildDFA(ContentSpecNode* const curNode)
// in the fLeafCount member.
//
fLeafCount=countLeafNodes(curNode);
// Avoid integer overflow in below fLeafCount++ increment
if (fLeafCount > (std::numeric_limits<unsigned int>::max() - 1))
throw OutOfMemoryException();
fEOCPos = fLeafCount++;

// Avoid integer overflow in below memory allocation
if (fLeafCount > (std::numeric_limits<size_t>::max() / sizeof(CMLeaf*)))
throw OutOfMemoryException();

// We need to build an array of references to the non-epsilon
// leaf nodes. We will put them in the array according to their position values
//
Expand Down Expand Up @@ -1364,14 +1372,27 @@ unsigned int DFAContentModel::countLeafNodes(ContentSpecNode* const curNode)
if(nLoopCount!=0)
{
count += countLeafNodes(cursor);
for(unsigned int i=0;i<nLoopCount;i++)
count += countLeafNodes(rightNode);
const unsigned int countRight = countLeafNodes(rightNode);
// Avoid integer overflow in below multiplication
if (countRight > (std::numeric_limits<unsigned int>::max() / nLoopCount))
throw OutOfMemoryException();
const unsigned int countRightMulLoopCount = nLoopCount * countRight;
// Avoid integer overflow in below addition
if (count > (std::numeric_limits<unsigned int>::max() - countRightMulLoopCount))
throw OutOfMemoryException();
count += countRightMulLoopCount;
return count;
}
if(leftNode)
count+=countLeafNodes(leftNode);
if(rightNode)
count+=countLeafNodes(rightNode);
{
const unsigned int countRight = countLeafNodes(rightNode);
// Avoid integer overflow in below addition
if (count > (std::numeric_limits<unsigned int>::max() - countRight))
throw OutOfMemoryException();
count+=countRight;
}
}
return count;
}
Expand Down

0 comments on commit d767b91

Please sign in to comment.