Fix #122

README.md

@@ -19,7 +19,7 @@ Coordinates for this are:
 
 * Group id: `com.fasterxml.woodstox`
 * Artifact id: `woodstox-core`
-* Latest published version: 6.0.3 (2019-12-07)
+* Latest published version: 6.2.4 (2021-02-11)
 
 Note that Maven id has changed since Woodstox 4.x.
 

release-notes/VERSION

@@ -4,6 +4,11 @@ Project: woodstox
 === Releases ===
 ------------------------------------------------------------------------
 
+6.2.4 (11-Feb-2021)
+
+#122: Expected either attr limit (2147483647) >= currAttrSize (0) OR >= outBuf.length (96)
+ (reported by j3rem1e@github)
+
 6.2.3 (16-Oct-2020)
 
 #117: Problem with `Stax2ByteArraySource`, encodings other than UTF-8

src/main/java/com/ctc/wstx/sr/AttributeCollector.java

@@ -192,7 +192,7 @@ public final class AttributeCollector
     protected int mAttrSpillEnd;
 
     protected int mMaxAttributesPerElement;
-    protected int mMaxAttributeSize;
+//    protected int mMaxAttributeSize;
 
     /*
     ///////////////////////////////////////////////
@@ -211,7 +211,7 @@ protected AttributeCollector(ReaderConfig cfg, boolean nsAware)
             mXmlIdLocalName = "xml:id";
         }
         mMaxAttributesPerElement = cfg.getMaxAttributesPerElement();
-        mMaxAttributeSize = cfg.getMaxAttributeSize();
+//        mMaxAttributeSize = cfg.getMaxAttributeSize();
     }
 
     /**

src/main/java/com/ctc/wstx/sr/BasicStreamReader.java

@@ -1968,7 +1968,7 @@ private final void parseAttrValue(char openingQuote, TextBuilder tb)
         // important! Underlying buffer may be shared, does not necessarily start from 0
         final int startingOffset = outPtr;
         final int maxAttrSize = mConfig.getMaxAttributeSize();
-        int outLimit = Math.min(startingOffset+maxAttrSize, outBuf.length);
+        int outLimit = _outputLimit(outBuf, startingOffset, maxAttrSize);
         final WstxInputSource currScope = mInput;
 
         while (true) {
@@ -2023,7 +2023,7 @@ private final void parseAttrValue(char openingQuote, TextBuilder tb)
                         ch -= 0x10000;
                         if (outPtr >= outLimit) {
                             outBuf = _checkAttributeLimit(tb, outBuf, outPtr, outPtr - startingOffset, maxAttrSize);
-                            outLimit = Math.min(startingOffset+maxAttrSize, outBuf.length);
+                            outLimit = _outputLimit(outBuf, startingOffset, maxAttrSize);
                         }
                         outBuf[outPtr++] = (char) ((ch >> 10)  + 0xD800);
                         c = (char) ((ch & 0x3FF)  + 0xDC00);
@@ -2036,7 +2036,7 @@ private final void parseAttrValue(char openingQuote, TextBuilder tb)
             // Ok, let's just add char in, whatever it was
             if (outPtr >= outLimit) {
                 outBuf = _checkAttributeLimit(tb, outBuf, outPtr, outPtr - startingOffset, maxAttrSize);
-                outLimit = Math.min(startingOffset+maxAttrSize, outBuf.length);
+                outLimit = _outputLimit(outBuf, startingOffset, maxAttrSize);
             }
             outBuf[outPtr++] = c;
         }
@@ -2045,6 +2045,11 @@ private final void parseAttrValue(char openingQuote, TextBuilder tb)
         tb.setBufferSize(outPtr);
     }
 
+    private final int _outputLimit(char[] outBuf, int offset, int maxAttrLen) {
+        // [woodstox-core#122]: make sure "offset + max-size" does not overflow:
+        return Math.min(outBuf.length, Math.max(maxAttrLen, offset+maxAttrLen));
+    }
+
     private final char[] _checkAttributeLimit(TextBuilder tb,
             char[] outBuf, int outPtr, int currAttrSize, int maxAttrSize)
         throws XMLStreamException
@@ -2053,8 +2058,9 @@ private final char[] _checkAttributeLimit(TextBuilder tb,
         verifyLimit("Maximum attribute size", maxAttrSize , currAttrSize+1);
         // just sanity check
         if (outPtr < outBuf.length) {
-            ExceptionUtil.throwInternal("Expected either attr limit ("+maxAttrSize
-                    +") >= currAttrSize ("+currAttrSize+") OR >= outBuf.length ("+outBuf.length+")");
+            ExceptionUtil.throwInternal(String.format(
+"Expected either currAttrSize (%d) > maxAttrSize (%d) OR outPtr (%d) >= outBuf.length (%d)",
+currAttrSize, maxAttrSize, outPtr, outBuf.length));
         }
         return tb.bufferFull(1);
     }

src/test/java/wstxtest/stream/TestAttributeLimits.java

@@ -81,7 +81,7 @@ public void testExactSmallMaxAttributeCount() throws Exception
         }
         r.close();
     }
-    
+
     // [woodstox-core#93]: should use stricter verification of max attr length
     public void testShorterAttribute() throws Exception
     {
@@ -143,4 +143,20 @@ public void close() throws IOException { }
         }
         reader.close(); // never gets here
     }
+
+    // [woodstox-core#122]: problem setting max-attr-size to Integer.MAX_VALUE
+    public void testMaxAttrMaxIntValue() throws Exception
+    {
+        XMLInputFactory factory = getNewInputFactory();
+        factory.setProperty(WstxInputProperties.P_MAX_ATTRIBUTE_SIZE, Integer.MAX_VALUE);
+
+        // First: ok document
+        XMLStreamReader r = factory.createXMLStreamReader(new StringReader(
+                "<root attr='1234' other='ab' x='foobar' />"));
+        assertTokenType(START_ELEMENT, r.next());
+        assertEquals(3, r.getAttributeCount());
+        assertEquals("foobar", r.getAttributeValue(2));
+        assertTokenType(END_ELEMENT, r.next());
+        r.close();
+    }
 }