|
|
@@ -374,18 +374,23 @@ const char* XMLUtil::GetCharacterRef( const char* p, char* value, int* length )
|
|
|
--q;
|
|
|
|
|
|
while ( *q != 'x' ) {
|
|
|
+ unsigned int digit;
|
|
|
if ( *q >= '0' && *q <= '9' ) {
|
|
|
- ucs += mult * (*q - '0');
|
|
|
+ digit = *q - '0';
|
|
|
}
|
|
|
else if ( *q >= 'a' && *q <= 'f' ) {
|
|
|
- ucs += mult * (*q - 'a' + 10);
|
|
|
+ digit = *q - 'a' + 10;
|
|
|
}
|
|
|
else if ( *q >= 'A' && *q <= 'F' ) {
|
|
|
- ucs += mult * (*q - 'A' + 10 );
|
|
|
+ digit = *q - 'A' + 10;
|
|
|
}
|
|
|
else {
|
|
|
return 0;
|
|
|
}
|
|
|
+ TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
|
|
|
+ const unsigned int digitScaled = mult * digit;
|
|
|
+ TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
|
|
|
+ ucs += digitScaled;
|
|
|
TIXMLASSERT( mult <= UINT_MAX / 16 );
|
|
|
mult *= 16;
|
|
|
--q;
|
|
|
@@ -410,7 +415,11 @@ const char* XMLUtil::GetCharacterRef( const char* p, char* value, int* length )
|
|
|
|
|
|
while ( *q != '#' ) {
|
|
|
if ( *q >= '0' && *q <= '9' ) {
|
|
|
- ucs += mult * (*q - '0');
|
|
|
+ const unsigned int digit = *q - '0';
|
|
|
+ TIXMLASSERT( digit == 0 || mult <= UINT_MAX / digit );
|
|
|
+ const unsigned int digitScaled = mult * digit;
|
|
|
+ TIXMLASSERT( ucs <= ULONG_MAX - digitScaled );
|
|
|
+ ucs += digitScaled;
|
|
|
}
|
|
|
else {
|
|
|
return 0;
|
Dmitry-Me