1 Nov
2022
1 Nov
'22
3:02 p.m.
Nikolay Sivov (@nsivov) commented about dlls/xmllite/writer.c:
- case XmlWriterState_Initial:
return E_UNEXPECTED;- case XmlWriterState_InvalidEncoding:
- return MX_E_ENCODING;
- case XmlWriterState_ElemStarted:
- writer_close_starttag(This);
- break;
- case XmlWriterState_DocClosed:
- return WR_E_INVALIDACTION;
- default:
- ;
- }
- codepoint = ((wchHigh - 0xd800) * 0x400) + (wchLow - 0xdc00) + 0x10000;
- swprintf(bufW, ARRAY_SIZE(bufW), L"&#x%X;", codepoint);
- write_output_buffer(This->output, bufW, -1);
What happens if you pass two surrogate halves to WriteString/WriteChars/WriteRawChars? Or even something like WriteChars(0xab, 1). It's possible they all share same hex escaping, and WriteSurrogateCharEntity() is not unique in that. Also, checking explicitly ranges here could as well be misplaced. I suspect WriteString() could validate that as well.