And consequently in readerinput_shrinkraw().
Signed-off-by: Paul Gofman pgofman@codeweavers.com --- Spotted as a crash reproducible under certain conditions during Forza Horizon 4 start. The out of bounds access in readerinput_get_utf8_convlen() is reproducible with the existing tests, that just doesn't usually result in the crash as 'if (!(buffer->data[len-1] & 0x80)) return len;' ends up returning 0 for zero length most of the time.
dlls/xmllite/reader.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/dlls/xmllite/reader.c b/dlls/xmllite/reader.c index 13d841eb94d..aa193128e4b 100644 --- a/dlls/xmllite/reader.c +++ b/dlls/xmllite/reader.c @@ -929,6 +929,8 @@ static int readerinput_get_utf8_convlen(xmlreaderinput *readerinput) encoded_buffer *buffer = &readerinput->buffer->encoded; int len = buffer->written;
+ assert(len); + /* complete single byte char */ if (!(buffer->data[len-1] & 0x80)) return len;
@@ -966,6 +968,7 @@ static void readerinput_shrinkraw(xmlreaderinput *readerinput, int len) if (len == -1) len = readerinput_get_convlen(readerinput);
+ assert(len >= 0); memmove(buffer->data, buffer->data + buffer->cur + (buffer->written - len), len); /* everything below cur is lost too */ buffer->written -= len + buffer->cur; @@ -1069,6 +1072,9 @@ static HRESULT reader_more(xmlreader *reader)
/* get some raw data from stream first */ hr = readerinput_growraw(readerinput); + if (!src->written) + return hr ? hr : MX_E_INPUTEND; + len = readerinput_get_convlen(readerinput); prev_len = dest->written / sizeof(WCHAR);
On 4/14/21 3:48 PM, Paul Gofman wrote:
@@ -1069,6 +1072,9 @@ static HRESULT reader_more(xmlreader *reader)
/* get some raw data from stream first */ hr = readerinput_growraw(readerinput);
- if (!src->written)
return hr ? hr : MX_E_INPUTEND;
- len = readerinput_get_convlen(readerinput); prev_len = dest->written / sizeof(WCHAR);
I think it's safe to move this to growraw() directly, checking for resulting buffer->written there.