lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Fix more quadratic runtime issues in HTML push parser

Browse Source 
Make sure that checkIndex is set when returning without match from
inside a comment. Also track parser state in htmlParseLookupChars.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer
2020-07-09 16:08:38 +02:00
parent 741b0d0a8b
commit 3da8d947df
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
HTMLparser.c
View File

@@ -5205,7 +5205,7 @@ htmlParseLookupSequence(htmlParserCtxtPtr ctxt, xmlChar first,
} }
if (incomment) { if (incomment) {
if (base + 3 > len) if (base + 3 > len)
return (-1); break;
if ((buf[base] == '-') && (buf[base + 1] == '-') && if ((buf[base] == '-') && (buf[base + 1] == '-') &&
(buf[base + 2] == '>')) { (buf[base + 2] == '>')) {
incomment = 0; incomment = 0;
@@ -5294,8 +5294,11 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
if (base < 0) if (base < 0)
return (-1); return (-1);
if (ctxt->checkIndex > base) if (ctxt->checkIndex > base) {
base = ctxt->checkIndex; base = ctxt->checkIndex;
/* Abuse hasPErefs member to restore current state. */
incomment = ctxt->hasPErefs & 1 ? 1 : 0;
}
if (in->buf == NULL) { if (in->buf == NULL) {
buf = in->base; buf = in->base;
@@ -5316,7 +5319,7 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
} }
if (incomment) { if (incomment) {
if (base + 3 > len) if (base + 3 > len)
return (-1); break;
if ((buf[base] == '-') && (buf[base + 1] == '-') && if ((buf[base] == '-') && (buf[base + 1] == '-') &&
(buf[base + 2] == '>')) { (buf[base + 2] == '>')) {
incomment = 0; incomment = 0;
@@ -5332,6 +5335,8 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
} }
} }
ctxt->checkIndex = base; ctxt->checkIndex = base;
/* Abuse hasPErefs member to track current state. */
ctxt->hasPErefs = incomment;
return (-1); return (-1);
} }