mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-24 13:33:01 +03:00 
			
		
		
		
	Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
Reviewed by David Kilzer. * HTMLparser.c: (htmlParseName): Add bounds check. (htmlParseNameComplex): Ditto. * result/HTML/758605.html: Added. * result/HTML/758605.html.err: Added. * result/HTML/758605.html.sax: Added. * runtest.c: (pushParseTest): The input for the new test case was so small (4 bytes) that htmlParseChunk() was never called after htmlCreatePushParserCtxt(), thereby creating a false positive test failure. Fixed by using a do-while loop so we always call htmlParseChunk() at least once. * test/HTML/758605.html: Added.
This commit is contained in:
		
				
					committed by
					
						 Daniel Veillard
						Daniel Veillard
					
				
			
			
				
	
			
			
			
						parent
						
							db07dd613e
						
					
				
				
					commit
					a820dbeac2
				
			| @@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { | |||||||
| 	       (*in == '_') || (*in == '-') || | 	       (*in == '_') || (*in == '-') || | ||||||
| 	       (*in == ':') || (*in == '.')) | 	       (*in == ':') || (*in == '.')) | ||||||
| 	    in++; | 	    in++; | ||||||
|  |  | ||||||
|  | 	if (in == ctxt->input->end) | ||||||
|  | 	    return(NULL); | ||||||
|  |  | ||||||
| 	if ((*in > 0) && (*in < 0x80)) { | 	if ((*in > 0) && (*in < 0x80)) { | ||||||
| 	    count = in - ctxt->input->cur; | 	    count = in - ctxt->input->cur; | ||||||
| 	    ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); | 	    ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); | ||||||
| @@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { | |||||||
| 	NEXTL(l); | 	NEXTL(l); | ||||||
| 	c = CUR_CHAR(l); | 	c = CUR_CHAR(l); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     if (ctxt->input->base > ctxt->input->cur - len) | ||||||
|  | 	return(NULL); | ||||||
|  |  | ||||||
|     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); |     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										3
									
								
								result/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								result/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> | ||||||
|  | <html><body><p>& | ||||||
|  | </p></body></html> | ||||||
							
								
								
									
										3
									
								
								result/HTML/758605.html.err
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								result/HTML/758605.html.err
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | ./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name | ||||||
|  | ê | ||||||
|  |   ^ | ||||||
							
								
								
									
										13
									
								
								result/HTML/758605.html.sax
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								result/HTML/758605.html.sax
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | |||||||
|  | SAX.setDocumentLocator() | ||||||
|  | SAX.startDocument() | ||||||
|  | SAX.error: htmlParseEntityRef: no name | ||||||
|  | SAX.startElement(html) | ||||||
|  | SAX.startElement(body) | ||||||
|  | SAX.startElement(p) | ||||||
|  | SAX.characters(&, 1) | ||||||
|  | SAX.ignorableWhitespace( | ||||||
|  | , 1) | ||||||
|  | SAX.endElement(p) | ||||||
|  | SAX.endElement(body) | ||||||
|  | SAX.endElement(html) | ||||||
|  | SAX.endDocument() | ||||||
| @@ -1873,7 +1873,7 @@ pushParseTest(const char *filename, const char *result, | |||||||
|     ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); |     ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); | ||||||
|     xmlCtxtUseOptions(ctxt, options); |     xmlCtxtUseOptions(ctxt, options); | ||||||
|     cur += 4; |     cur += 4; | ||||||
|     while (cur < size) { |     do { | ||||||
|         if (cur + 1024 >= size) { |         if (cur + 1024 >= size) { | ||||||
| #ifdef LIBXML_HTML_ENABLED | #ifdef LIBXML_HTML_ENABLED | ||||||
| 	    if (options & XML_PARSE_HTML) | 	    if (options & XML_PARSE_HTML) | ||||||
| @@ -1891,7 +1891,7 @@ pushParseTest(const char *filename, const char *result, | |||||||
| 	    xmlParseChunk(ctxt, base + cur, 1024, 0); | 	    xmlParseChunk(ctxt, base + cur, 1024, 0); | ||||||
| 	    cur += 1024; | 	    cur += 1024; | ||||||
| 	} | 	} | ||||||
|     } |     } while (cur < size); | ||||||
|     doc = ctxt->myDoc; |     doc = ctxt->myDoc; | ||||||
| #ifdef LIBXML_HTML_ENABLED | #ifdef LIBXML_HTML_ENABLED | ||||||
|     if (options & XML_PARSE_HTML) |     if (options & XML_PARSE_HTML) | ||||||
|   | |||||||
							
								
								
									
										1
									
								
								test/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								test/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | |||||||
|  | &:<3A> | ||||||
		Reference in New Issue
	
	Block a user