Index: src/OFXMLFactory.m ================================================================== --- src/OFXMLFactory.m +++ src/OFXMLFactory.m @@ -32,12 +32,12 @@ xf_resize_chars(char **str, size_t *len, size_t add) { char *str2; size_t len2; - /* FIXME: Check for overflows on add */ - + if (add > SIZE_MAX - *len) + [[OFOutOfRangeException newWithObject: nil] raise]; len2 = *len + add; if ((str2 = realloc(*str, len2)) == NULL) { if (*str) free(*str); @@ -55,13 +55,16 @@ xf_resize_wchars(wchar_t **str, size_t *len, size_t add) { wchar_t *str2; size_t len2; - /* FIXME: Check for overflows on add and multiply */ - + if (add > SIZE_MAX - *len) + [[OFOutOfRangeException newWithObject: nil] raise]; len2 = *len + add; + + if (len2 > SIZE_MAX / sizeof(wchar_t)) + [[OFOutOfRangeException newWithObject: nil] raise]; if ((str2 = realloc(*str, len2 * sizeof(wchar_t))) == NULL) { if (*str) free(*str); *str = NULL; @@ -111,14 +114,17 @@ { char *ret; size_t i, j, len, nlen; len = nlen = strlen(s); + if (SIZE_MAX - len < 1) + [[OFOutOfRangeException newWithObject: nil] raise]; + nlen++; - if ((ret = malloc(len + 1)) == NULL) + if ((ret = malloc(nlen)) == NULL) [[OFNoMemException newWithObject: nil - andSize: len + 1] raise]; + andSize: nlen] raise]; for (i = j = 0; i < len; i++) { switch (s[i]) { case '<': if (OF_UNLIKELY(!xf_add2chars(&ret, &nlen, &j, "<"))) @@ -167,15 +173,20 @@ { wchar_t *ret; size_t i, j, len, nlen; len = nlen = wcslen(s); + if (SIZE_MAX - len < 1) + [[OFOutOfRangeException newWithObject: nil] raise]; + nlen++; + + if (nlen > SIZE_MAX / sizeof(wchar_t)) + [[OFOutOfRangeException newWithObject: nil] raise]; - /* FIXME: Check for overflow in multiply */ - if ((ret = malloc((len + 1) * sizeof(wchar_t))) == NULL) + if ((ret = malloc(nlen * sizeof(wchar_t))) == NULL) [[OFNoMemException newWithObject: nil - andSize: (len + 1) * sizeof(wchar_t)] + andSize: nlen * sizeof(wchar_t)] raise]; for (i = j = 0; i < len; i++) { switch (s[i]) { case L'<': @@ -240,11 +251,15 @@ char *arg, *val, *xml; size_t i, len; va_list args; /* Start of tag */ - len = strlen(name) + 3; + len = strlen(name); + if (SIZE_MAX - len < 3) + [[OFOutOfRangeException newWithObject: nil] raise]; + len += 3; + if ((xml = malloc(len)) == NULL) [[OFNoMemException newWithObject: nil andSize: len] raise]; i = 0; @@ -335,13 +350,19 @@ wchar_t *arg, *val, *xml; size_t i, len; va_list args; /* Start of tag */ - len = wcslen(name) + 3; - /* TODO: Check for multiply overflow */ - if ((xml = malloc(len * sizeof(wchar_t*))) == NULL) + len = wcslen(name); + if (SIZE_MAX - len < 3) + [[OFOutOfRangeException newWithObject: nil] raise]; + len += 3; + + if (len > SIZE_MAX / sizeof(wchar_t)) + [[OFOutOfRangeException newWithObject: nil] raise]; + + if ((xml = malloc(len * sizeof(wchar_t))) == NULL) [[OFNoMemException newWithObject: nil andSize: len * sizeof(wchar_t)] raise]; i = 0; xml[i++] = L'<'; @@ -435,11 +456,14 @@ size_t i, len, pos; if (strs[0] == NULL) return NULL; - len = strlen(*strs) + 1; + len = strlen(*strs); + if (SIZE_MAX - len < 1) + [[OFOutOfRangeException newWithObject: nil] raise]; + len++; if ((ret = malloc(len)) == NULL) [[OFNoMemException newWithObject: nil andSize: len] raise]; @@ -468,13 +492,18 @@ size_t i, len, pos; if (strs[0] == NULL) return NULL; - len = wcslen(*strs) + 1; - - /* FIXME: Check for overflow on multiply */ + len = wcslen(*strs); + if (SIZE_MAX - len < 1) + [[OFOutOfRangeException newWithObject: nil] raise]; + len++; + + if (len > SIZE_MAX - sizeof(wchar_t)) + [[OFOutOfRangeException newWithObject: nil] raise]; + if ((ret = malloc(len * sizeof(wchar_t))) == NULL) [[OFNoMemException newWithObject: nil andSize: len * sizeof(wchar_t)] raise]; wmemcpy(ret, strs[0], len - 1);