fix: five memcpy calls in tinystr in tinystr.cpp

src/PLASMA/TinyXml/base/tinystr.cpp

@@ -30,6 +30,7 @@ distribution.
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 
 #include "tinystr.h"
 
@@ -48,7 +49,15 @@ TiXmlString::TiXmlString (const char* instring)
         current_length = 0;
         return;
     }
-    newlen = strlen (instring) + 1;
+    size_t slen = strlen (instring);
+    if (slen >= (size_t)UINT_MAX)
+    {
+        allocated = 0;
+        cstring = NULL;
+        current_length = 0;
+        return;
+    }
+    newlen = (unsigned)(slen + 1);
     newstring = new char [newlen];
     memcpy (newstring, instring, newlen);
     // strcpy (newstring, instring);
@@ -74,6 +83,13 @@ TiXmlString::TiXmlString (const TiXmlString& copy)
         current_length = 0;
         return;
     }
+    if (copy . length () >= UINT_MAX)
+    {
+        allocated = 0;
+        cstring = NULL;
+        current_length = 0;
+        return;
+    }
     newlen = copy . length () + 1;
     newstring = new char [newlen];
     // strcpy (newstring, copy . cstring);
@@ -94,7 +110,13 @@ void TiXmlString ::operator = (const char * content)
         empty_it ();
         return;
     }
-    newlen = strlen (content) + 1;
+    size_t slen = strlen (content);
+    if (slen >= (size_t)UINT_MAX)
+    {
+        empty_it ();
+        return;
+    }
+    newlen = (unsigned)(slen + 1);
     newstring = new char [newlen];
     // strcpy (newstring, content);
     memcpy (newstring, content, newlen);
@@ -115,6 +137,11 @@ void TiXmlString ::operator = (const TiXmlString & copy)
         empty_it ();
         return;
     }
+    if (copy . length () >= UINT_MAX)
+    {
+        empty_it ();
+        return;
+    }
     newlen = copy . length () + 1;
     newstring = new char [newlen];
     // strcpy (newstring, copy . c_str ());
@@ -142,12 +169,15 @@ void TiXmlString::append( const char* str, int len )
     char * new_string;
     unsigned new_alloc, new_size, size_suffix;
 
-    size_suffix = strlen (str);
+    size_suffix = (unsigned) strlen (str);
     if (len < (int) size_suffix)
-        size_suffix = len;
+        size_suffix = (unsigned) len;
     if (! size_suffix)
         return;
 
+    // guard against integer overflow in new_size computation
+    if (size_suffix > UINT_MAX - length () - 1)
+        return;
     new_size = length () + size_suffix + 1;
     // check if we need to expand
     if (new_size > allocated)
@@ -197,7 +227,11 @@ void TiXmlString::append( const char * suffix )
     char * new_string;
     unsigned new_alloc, new_size;
 
-    new_size = length () + strlen (suffix) + 1;
+    size_t suffix_len = strlen (suffix);
+    // guard against integer overflow in new_size computation
+    if (suffix_len >= (size_t)UINT_MAX || suffix_len > (size_t)(UINT_MAX - length () - 1))
+        return;
+    new_size = length () + (unsigned)suffix_len + 1;
     // check if we need to expand
     if (new_size > allocated)
     {