[XERCESC-2241] Fix integer overflows in DFAContentModel class #51
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
CC @rleigh-codelibre This should be relatively safe to apply |
Contributor
rleigh-codelibre
left a comment
rleigh-codelibre
left a comment
There was a problem hiding this comment.
The logic of the change all looks fine, but a query regarding the type used for numeric_limits::max().
Thanks,
Roger
On .xsd files like the following ones (generated by ossfuzz, so broken), integer overflows can happen in DFAContentModel::countLeafNodes() and DFAContentModel::buildDFA() which can later cause out-of-bounds access. Found in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025 ``` <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:myns="http://myns" targetNamespace="http://myns" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="main_elt"> <xs:complexType> <xs:sequence> <xs:group ref="myns:mygroup" minOccurs="32767" maxOccurs="1"/> </xs:sequence> </xs:complexType> </xs:element> <xs:group name="mygroup"> <xs:sequence> <!-- related to https://issues.apache.org/jira/browse/XERCESC-1051 --> <xs:element name="elt" maxOccurs="33333"> <xs:complexType> <xs:sequence> ame="x" type="xs:int" maxOccurs="1"/> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:group> </xs:schema> ```
rouault
force-pushed
the
fix_XERCESC-2241
branch
from
e4d60a2 to
d767b91
Compare
rleigh-codelibre
approved these changes
Oct 3, 2022
Contributor
rleigh-codelibre
left a comment
rleigh-codelibre
left a comment
There was a problem hiding this comment.
Thanks for the changes, this all looks to be correct to me. I'll merge it once the CI has passed (for the CI build which isn't broken).
Contributor
|
@rleigh-codelibre If you can apply this to master that will make it easier for me to cherry-pick back to the branch. |
Contributor
|
(My only concern re: compatibility was the reference to size_it in the max function possibly causing compatibility issues, but I'll take the risk.) |
Contributor
|
I applied this to both branches. |
raspbian-autopush
pushed a commit
to raspbian-packages/xerces-c
that referenced
this pull request
Jan 4, 2024
raspbian-autopush
pushed a commit
to raspbian-packages/xerces-c
that referenced
this pull request
Feb 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On .xsd files like the following ones (generated by ossfuzz, so broken), integer overflows can happen in DFAContentModel::countLeafNodes() and DFAContentModel::buildDFA() which can later cause out-of-bounds access.
Found in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025