This fixes a heap buffer overflow caught by the xmlproc fuzzer.
#undef MAX
#define MAX(a, b) max((a), (b))
+/* Get the maximum of three variables, without multiple evaluation. */
+#undef max3
+#define max3(a, b, c) max(max((a), (b)), (c))
+
/* Swap the values of two variables, without multiple evaluation. */
#ifndef swap
# define swap(a, b) ({ typeof(a) _a = (a); (a) = (b); (b) = _a; })
xml_write(struct xml_out_buf *buf, const tchar *str, size_t len)
{
if (buf->count + len + 1 > buf->capacity) {
- size_t new_capacity = max(buf->capacity * 2, 4096);
+ size_t new_capacity = max3(buf->count + len + 1,
+ buf->capacity * 2, 4096);
tchar *new_buf = REALLOC(buf->buf,
new_capacity * sizeof(str[0]));
if (!new_buf) {