lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-07-04 08:02:34 +03:00
Code Activity

Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()

Browse Source 
* HTMLparser.c:
(htmlSkipBlankChars):
* parser.c:
(xmlSkipBlankChars):
- Cap the return value at INT_MAX.
- The commit range that OSS-Fuzz listed for the fix didn't make
  any changes to xmlSkipBlankChars(), so it seems like this
  issue may still exist.

Found by OSS-Fuzz Issue 44803.
This commit is contained in:
David Kilzer
2022-04-08 12:33:17 -07:00
parent a15f2abef1
commit 44e9118c02
2 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
HTMLparser.c
View File

@ -598,7 +598,8 @@ htmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
if (*ctxt->input->cur == 0) if (*ctxt->input->cur == 0)
xmlParserInputGrow(ctxt->input, INPUT_CHUNK); xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
} }
res++; if (res < INT_MAX)
res++;
} }
return(res); return(res);
} }

6
parser.c
View File

@ -2202,7 +2202,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
ctxt->input->col++; ctxt->input->col++;
} }
cur++; cur++;
res++; if (res < INT_MAX)
res++;
if (*cur == 0) { if (*cur == 0) {
ctxt->input->cur = cur; ctxt->input->cur = cur;
xmlParserInputGrow(ctxt->input, INPUT_CHUNK); xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
@ -2238,7 +2239,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
* by the attachment of one leading and one following space (#x20) * by the attachment of one leading and one following space (#x20)
* character." * character."
*/ */
res++; if (res < INT_MAX)
res++;
} }
} }
return(res); return(res);