Prevent out-of-bounds access in text conversion

* big2_toUtf8
* little2_toUtf8
* utf8_toUtf8
* utf8_toUtf16

diff --git a/expat/lib/xmltok.c b/expat/lib/xmltok.c
index 603a7b234768c07c83faf0741ce99533d41f2f62..df708939d5cdf415fdf7b90ad2f5a61709269f95 100644 (file)
--- a/expat/lib/xmltok.c
+++ b/expat/lib/xmltok.c
@@ -342,7 +342,7 @@ utf8_toUtf8(const ENCODING *enc,
       if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
         break;
   }
-  for (to = *toP, from = *fromP; from < fromLim; from++, to++)
+  for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
     *to = *from;
   *fromP = from;
   *toP = to;
@@ -358,10 +358,14 @@ utf8_toUtf16(const ENCODING *enc,
   while (from < fromLim && to < toLim) {
     switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
     case BT_LEAD2:
+      if (from + 2 > fromLim)
+        break;
       *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
       from += 2;
       break;
     case BT_LEAD3:
+      if (from + 3 > fromLim)
+        break;
       *to++ = (unsigned short)(((from[0] & 0xf) << 12)
                                | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
       from += 3;
@@ -371,6 +375,8 @@ utf8_toUtf16(const ENCODING *enc,
         unsigned long n;
         if (to + 1 == toLim)
           goto after;
+        if (from + 4 > fromLim)
+          goto after;
         n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
             | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
         n -= 0x10000;
@@ -590,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \
       *(*toP)++ = ((lo & 0x3f) | 0x80); \
       break; \
     case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
-      if (toLim -  *toP < 4) { \
+      if ((toLim - *toP < 4) || (from + 4 > fromLim)) { \
         *fromP = from; \
         return; \
       } \