1 From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001
2 From: Nick Wellnhofer <wellnhofer@aevum.de>
3 Date: Sun, 10 Apr 2016 13:12:28 +0200
4 Subject: [PATCH] Lower and upper bound for format token "i"
6 Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
8 Also introduce an upper bound to fix a denial of service.
10 libxslt/numbers.c | 25 ++++++++++++++++---------
11 1 file changed, 16 insertions(+), 9 deletions(-)
13 diff --git a/libxslt/numbers.c b/libxslt/numbers.c
14 index af52883..e769c42 100644
15 --- a/libxslt/numbers.c
16 +++ b/libxslt/numbers.c
17 @@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
21 -xsltNumberFormatRoman(xmlBufferPtr buffer,
22 +xsltNumberFormatRoman(xsltNumberDataPtr data,
23 + xmlBufferPtr buffer,
28 + * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
29 + * bound to avoid denial of service.
31 + if (number < 1.0 || number > 5000.0) {
32 + xsltNumberFormatDecimal(buffer, number, '0', 1,
33 + data->digitsPerGroup,
34 + data->groupingCharacter,
35 + data->groupingCharacterLen);
40 * Based on an example by Jim Walsh
42 while (number >= 1000.0) {
43 @@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
44 xsltNumberFormatAlpha(data, buffer, number, FALSE);
47 - xsltNumberFormatRoman(buffer,
51 + xsltNumberFormatRoman(data, buffer, number, TRUE);
54 - xsltNumberFormatRoman(buffer,
58 + xsltNumberFormatRoman(data, buffer, number, FALSE);
61 if (IS_DIGIT_ZERO(token->token)) {