mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-24 13:33:01 +03:00 
			
		
		
		
	Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
Reviewed by David Kilzer. * HTMLparser.c: (htmlParseName): Add bounds check. (htmlParseNameComplex): Ditto. * result/HTML/758605.html: Added. * result/HTML/758605.html.err: Added. * result/HTML/758605.html.sax: Added. * runtest.c: (pushParseTest): The input for the new test case was so small (4 bytes) that htmlParseChunk() was never called after htmlCreatePushParserCtxt(), thereby creating a false positive test failure. Fixed by using a do-while loop so we always call htmlParseChunk() at least once. * test/HTML/758605.html: Added.
This commit is contained in:
		
				
					committed by
					
						 Daniel Veillard
						Daniel Veillard
					
				
			
			
				
	
			
			
			
						parent
						
							db07dd613e
						
					
				
				
					commit
					a820dbeac2
				
			| @@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { | ||||
| 	       (*in == '_') || (*in == '-') || | ||||
| 	       (*in == ':') || (*in == '.')) | ||||
| 	    in++; | ||||
|  | ||||
| 	if (in == ctxt->input->end) | ||||
| 	    return(NULL); | ||||
|  | ||||
| 	if ((*in > 0) && (*in < 0x80)) { | ||||
| 	    count = in - ctxt->input->cur; | ||||
| 	    ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); | ||||
| @@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||||
| 	NEXTL(l); | ||||
| 	c = CUR_CHAR(l); | ||||
|     } | ||||
|  | ||||
|     if (ctxt->input->base > ctxt->input->cur - len) | ||||
| 	return(NULL); | ||||
|  | ||||
|     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); | ||||
| } | ||||
|  | ||||
|   | ||||
							
								
								
									
										3
									
								
								result/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								result/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> | ||||
| <html><body><p>& | ||||
| </p></body></html> | ||||
							
								
								
									
										3
									
								
								result/HTML/758605.html.err
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								result/HTML/758605.html.err
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| ./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name | ||||
| ê | ||||
|   ^ | ||||
							
								
								
									
										13
									
								
								result/HTML/758605.html.sax
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								result/HTML/758605.html.sax
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| SAX.setDocumentLocator() | ||||
| SAX.startDocument() | ||||
| SAX.error: htmlParseEntityRef: no name | ||||
| SAX.startElement(html) | ||||
| SAX.startElement(body) | ||||
| SAX.startElement(p) | ||||
| SAX.characters(&, 1) | ||||
| SAX.ignorableWhitespace( | ||||
| , 1) | ||||
| SAX.endElement(p) | ||||
| SAX.endElement(body) | ||||
| SAX.endElement(html) | ||||
| SAX.endDocument() | ||||
| @@ -1873,7 +1873,7 @@ pushParseTest(const char *filename, const char *result, | ||||
|     ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); | ||||
|     xmlCtxtUseOptions(ctxt, options); | ||||
|     cur += 4; | ||||
|     while (cur < size) { | ||||
|     do { | ||||
|         if (cur + 1024 >= size) { | ||||
| #ifdef LIBXML_HTML_ENABLED | ||||
| 	    if (options & XML_PARSE_HTML) | ||||
| @@ -1891,7 +1891,7 @@ pushParseTest(const char *filename, const char *result, | ||||
| 	    xmlParseChunk(ctxt, base + cur, 1024, 0); | ||||
| 	    cur += 1024; | ||||
| 	} | ||||
|     } | ||||
|     } while (cur < size); | ||||
|     doc = ctxt->myDoc; | ||||
| #ifdef LIBXML_HTML_ENABLED | ||||
|     if (options & XML_PARSE_HTML) | ||||
|   | ||||
							
								
								
									
										1
									
								
								test/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								test/HTML/758605.html
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| &:<3A> | ||||
		Reference in New Issue
	
	Block a user