diff options
| -rw-r--r-- | Tests/LibXML/TestParser.cpp | 9 | ||||
| -rw-r--r-- | Userland/Libraries/LibXML/Parser/Parser.cpp | 10 |
2 files changed, 14 insertions, 5 deletions
diff --git a/Tests/LibXML/TestParser.cpp b/Tests/LibXML/TestParser.cpp index 54a9621a22..2110ba8d27 100644 --- a/Tests/LibXML/TestParser.cpp +++ b/Tests/LibXML/TestParser.cpp @@ -20,3 +20,12 @@ TEST_CASE(char_data_ending) return Test::Crash::Failure::DidNotCrash; }); } + +TEST_CASE(character_reference_integer_overflow) +{ + EXPECT_NO_CRASH("parsing character references that do not fit in 32 bits should not crash", [] { + XML::Parser parser("<G>�"); + (void)parser.parse(); + return Test::Crash::Failure::DidNotCrash; + }); +} diff --git a/Userland/Libraries/LibXML/Parser/Parser.cpp b/Userland/Libraries/LibXML/Parser/Parser.cpp index d32ca51c75..1fd23effc1 100644 --- a/Userland/Libraries/LibXML/Parser/Parser.cpp +++ b/Userland/Libraries/LibXML/Parser/Parser.cpp @@ -758,26 +758,26 @@ ErrorOr<Variant<Parser::EntityReference, String>, ParseError> Parser::parse_refe auto name_result = parse_name(); if (name_result.is_error()) { TRY(expect("#")); - u32 code_point; + Optional<u32> code_point; if (m_lexer.consume_specific('x')) { auto hex = TRY(expect_many( ranges_for_search<Range('0', '9'), Range('a', 'f'), Range('A', 'F')>(), "any of [0-9a-fA-F]")); - code_point = *AK::StringUtils::convert_to_uint_from_hex<u32>(hex); + code_point = AK::StringUtils::convert_to_uint_from_hex<u32>(hex); } else { auto decimal = TRY(expect_many( ranges_for_search<Range('0', '9')>(), "any of [0-9]")); - code_point = *decimal.to_uint<u32>(); + code_point = decimal.to_uint<u32>(); } - if (!s_characters.contains(code_point)) + if (!code_point.has_value() || !s_characters.contains(*code_point)) return parse_error(reference_start, "Invalid character reference"); TRY(expect(";")); StringBuilder builder; - builder.append_code_point(code_point); + builder.append_code_point(*code_point); rollback.disarm(); return builder.to_string(); |