lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-07-05 19:01:18 +03:00
Code Activity

Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()

Browse Source 
* HTMLparser.c:
(htmlSkipBlankChars):
* parser.c:
(xmlSkipBlankChars):
- Cap the return value at INT_MAX.
- The commit range that OSS-Fuzz listed for the fix didn't make
  any changes to xmlSkipBlankChars(), so it seems like this
  issue may still exist.

Found by OSS-Fuzz Issue 44803.
This commit is contained in:
David Kilzer
2022-04-08 12:33:17 -07:00
parent a15f2abef1
commit 44e9118c02
2 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
HTMLparser.c
View File

@ -598,6 +598,7 @@ htmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
if (*ctxt->input->cur == 0) if (*ctxt->input->cur == 0)
xmlParserInputGrow(ctxt->input, INPUT_CHUNK); xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
} }
if (res < INT_MAX)
res++; res++;
} }
return(res); return(res);

2
parser.c
View File

@ -2202,6 +2202,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
ctxt->input->col++; ctxt->input->col++;
} }
cur++; cur++;
if (res < INT_MAX)
res++; res++;
if (*cur == 0) { if (*cur == 0) {
ctxt->input->cur = cur; ctxt->input->cur = cur;
@ -2238,6 +2239,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
* by the attachment of one leading and one following space (#x20) * by the attachment of one leading and one following space (#x20)
* character." * character."
*/ */
if (res < INT_MAX)
res++; res++;
} }
} }