lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>

Browse Source 
Reviewed by David Kilzer.

* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure.  Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.
This commit is contained in:
Pranjal Jumde
2016-03-01 11:34:04 -08:00
committed by Daniel Veillard
parent db07dd613e
commit a820dbeac2
6 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
HTMLparser.c
View File

@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
(*in == '_') || (*in == '-') ||
(*in == ':') || (*in == '.'))
in++;
if (in == ctxt->input->end)
return(NULL);
if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur;
ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
NEXTL(l);
c = CUR_CHAR(l);
}
if (ctxt->input->base > ctxt->input->cur - len)
return(NULL);
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
}