lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral

Browse Source 
For https://bugzilla.gnome.org/show_bug.cgi?id=760263

* HTMLparser.c: Add BASE_PTR convenience macro.
(htmlParseSystemLiteral): Store length and start position instead
of a pointer while iterating through the public identifier since
the underlying buffer may change, resulting in a stale pointer
being used.
(htmlParsePubidLiteral): Ditto.
This commit is contained in:
Pranjal Jumde
2016-03-02 15:52:24 -08:00
committed by Daniel Veillard
parent 4472c3a5a5
commit 11ed4a7a90
1 changed files with 43 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
HTMLparser.c
View File

@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
#define UPP(val) (toupper(ctxt->input->cur[(val)]))
#define CUR_PTR ctxt->input->cur
#define BASE_PTR ctxt->input->base
#define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
(ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
@@ -2781,31 +2782,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt) {
static xmlChar *
htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
const xmlChar *q;
size_t len = 0, startPosition = 0;
xmlChar *ret = NULL;
if (CUR == '"') {
NEXT;
q = CUR_PTR;
while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
if (CUR_PTR < BASE_PTR)
return(ret);
startPosition = CUR_PTR - BASE_PTR;
while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
NEXT;
len++;
}
if (!IS_CHAR_CH(CUR)) {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished SystemLiteral\n", NULL, NULL);
} else {
ret = xmlStrndup(q, CUR_PTR - q);
ret = xmlStrndup((BASE_PTR+startPosition), len);
NEXT;
}
} else if (CUR == '\'') {
NEXT;
q = CUR_PTR;
while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
if (CUR_PTR < BASE_PTR)
return(ret);
startPosition = CUR_PTR - BASE_PTR;
while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
NEXT;
len++;
}
if (!IS_CHAR_CH(CUR)) {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished SystemLiteral\n", NULL, NULL);
} else {
ret = xmlStrndup(q, CUR_PTR - q);
ret = xmlStrndup((BASE_PTR+startPosition), len);
NEXT;
}
} else {
@@ -2829,32 +2842,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
static xmlChar *
htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
const xmlChar *q;
size_t len = 0, startPosition = 0;
xmlChar *ret = NULL;
/*
* Name ::= (Letter | '_') (NameChar)*
*/
if (CUR == '"') {
NEXT;
q = CUR_PTR;
while (IS_PUBIDCHAR_CH(CUR)) NEXT;
if (CUR_PTR < BASE_PTR)
return(ret);
startPosition = CUR_PTR - BASE_PTR;
while (IS_PUBIDCHAR_CH(CUR)) {
len++;
NEXT;
}
if (CUR != '"') {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished PubidLiteral\n", NULL, NULL);
} else {
ret = xmlStrndup(q, CUR_PTR - q);
ret = xmlStrndup((BASE_PTR + startPosition), len);
NEXT;
}
} else if (CUR == '\'') {
NEXT;
q = CUR_PTR;
while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
NEXT;
if (CUR_PTR < BASE_PTR)
return(ret);
startPosition = CUR_PTR - BASE_PTR;
while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
len++;
NEXT;
}
if (CUR != '\'') {
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
"Unfinished PubidLiteral\n", NULL, NULL);
} else {
ret = xmlStrndup(q, CUR_PTR - q);
ret = xmlStrndup((BASE_PTR + startPosition), len);
NEXT;
}
} else {