diff --git a/src/xercesc/validators/common/DFAContentModel.cpp b/src/xercesc/validators/common/DFAContentModel.cpp index 856f88f46..1b5dc59e2 100644 --- a/src/xercesc/validators/common/DFAContentModel.cpp +++ b/src/xercesc/validators/common/DFAContentModel.cpp @@ -42,6 +42,7 @@ #include #include #include +#include namespace XERCES_CPP_NAMESPACE { @@ -661,8 +662,15 @@ void DFAContentModel::buildDFA(ContentSpecNode* const curNode) // in the fLeafCount member. // fLeafCount=countLeafNodes(curNode); + // Avoid integer overflow in below fLeafCount++ increment + if (fLeafCount > (std::numeric_limits::max() - 1)) + throw OutOfMemoryException(); fEOCPos = fLeafCount++; + // Avoid integer overflow in below memory allocation + if (fLeafCount > (std::numeric_limits::max() / sizeof(CMLeaf*))) + throw OutOfMemoryException(); + // We need to build an array of references to the non-epsilon // leaf nodes. We will put them in the array according to their position values // @@ -1364,14 +1372,27 @@ unsigned int DFAContentModel::countLeafNodes(ContentSpecNode* const curNode) if(nLoopCount!=0) { count += countLeafNodes(cursor); - for(unsigned int i=0;i (std::numeric_limits::max() / nLoopCount)) + throw OutOfMemoryException(); + const unsigned int countRightMulLoopCount = nLoopCount * countRight; + // Avoid integer overflow in below addition + if (count > (std::numeric_limits::max() - countRightMulLoopCount)) + throw OutOfMemoryException(); + count += countRightMulLoopCount; return count; } if(leftNode) count+=countLeafNodes(leftNode); if(rightNode) - count+=countLeafNodes(rightNode); + { + const unsigned int countRight = countLeafNodes(rightNode); + // Avoid integer overflow in below addition + if (count > (std::numeric_limits::max() - countRight)) + throw OutOfMemoryException(); + count+=countRight; + } } return count; }