lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-28 23:14:57 +03:00
Code Activity

Fix integer overflow in htmlParseCharRef

Browse Source 
Fixes #115.
This commit is contained in:
Nick Wellnhofer
2020-06-15 18:47:53 +02:00
parent 2f9382033e
commit 31ca4a728c
1 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
HTMLparser.c
View File

@@ -3400,13 +3400,16 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
((NXT(2) == 'x') || NXT(2) == 'X')) { ((NXT(2) == 'x') || NXT(2) == 'X')) {
SKIP(3); SKIP(3);
while (CUR != ';') { while (CUR != ';') {
if ((CUR >= '0') && (CUR <= '9')) if ((CUR >= '0') && (CUR <= '9')) {
if (val < 0x110000)
val = val * 16 + (CUR - '0'); val = val * 16 + (CUR - '0');
else if ((CUR >= 'a') && (CUR <= 'f')) } else if ((CUR >= 'a') && (CUR <= 'f')) {
if (val < 0x110000)
val = val * 16 + (CUR - 'a') + 10; val = val * 16 + (CUR - 'a') + 10;
else if ((CUR >= 'A') && (CUR <= 'F')) } else if ((CUR >= 'A') && (CUR <= 'F')) {
if (val < 0x110000)
val = val * 16 + (CUR - 'A') + 10; val = val * 16 + (CUR - 'A') + 10;
else { } else {
htmlParseErr(ctxt, XML_ERR_INVALID_HEX_CHARREF, htmlParseErr(ctxt, XML_ERR_INVALID_HEX_CHARREF,
"htmlParseCharRef: missing semicolon\n", "htmlParseCharRef: missing semicolon\n",
NULL, NULL); NULL, NULL);
@@ -3419,9 +3422,10 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
} else if ((CUR == '&') && (NXT(1) == '#')) { } else if ((CUR == '&') && (NXT(1) == '#')) {
SKIP(2); SKIP(2);
while (CUR != ';') { while (CUR != ';') {
if ((CUR >= '0') && (CUR <= '9')) if ((CUR >= '0') && (CUR <= '9')) {
if (val < 0x110000)
val = val * 10 + (CUR - '0'); val = val * 10 + (CUR - '0');
else { } else {
htmlParseErr(ctxt, XML_ERR_INVALID_DEC_CHARREF, htmlParseErr(ctxt, XML_ERR_INVALID_DEC_CHARREF,
"htmlParseCharRef: missing semicolon\n", "htmlParseCharRef: missing semicolon\n",
NULL, NULL); NULL, NULL);
@@ -3440,6 +3444,9 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
*/ */
if (IS_CHAR(val)) { if (IS_CHAR(val)) {
return(val); return(val);
} else if (val >= 0x110000) {
htmlParseErr(ctxt, XML_ERR_INVALID_CHAR,
"htmlParseCharRef: value too large\n", NULL, NULL);
} else { } else {
htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR,
"htmlParseCharRef: invalid xmlChar value %d\n", "htmlParseCharRef: invalid xmlChar value %d\n",