lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

malloc-fail: Fix buffer overread when reading from input

Browse Source 
Found by OSS-Fuzz, see #344.
This commit is contained in:
Nick Wellnhofer
2023-03-15 16:18:11 +01:00
parent 4b3452d171
commit ca2bfecea9
2 changed files with 38 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
HTMLparser.c
View File

@@ -410,6 +410,11 @@ htmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
*len = 0; *len = 0;
return(ctxt->token); return(ctxt->token);
} }
if ((ctxt->input->end - ctxt->input->cur < 4) &&
(xmlParserGrow(ctxt) < 0))
return(0);
if (ctxt->charset != XML_CHAR_ENCODING_UTF8) { if (ctxt->charset != XML_CHAR_ENCODING_UTF8) {
xmlChar * guess; xmlChar * guess;
xmlCharEncodingHandlerPtr handler; xmlCharEncodingHandlerPtr handler;
@@ -470,29 +475,21 @@ htmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
cur = ctxt->input->cur; cur = ctxt->input->cur;
c = *cur; c = *cur;
if (c & 0x80) { if (c & 0x80) {
size_t avail;
if ((c & 0x40) == 0) if ((c & 0x40) == 0)
goto encoding_error; goto encoding_error;
if (cur[1] == 0) {
xmlParserGrow(ctxt); avail = ctxt->input->end - ctxt->input->cur;
cur = ctxt->input->cur;
} if ((avail < 2) || ((cur[1] & 0xc0) != 0x80))
if ((cur[1] & 0xc0) != 0x80)
goto encoding_error; goto encoding_error;
if ((c & 0xe0) == 0xe0) { if ((c & 0xe0) == 0xe0) {
if ((avail < 3) || ((cur[2] & 0xc0) != 0x80))
if (cur[2] == 0) {
xmlParserGrow(ctxt);
cur = ctxt->input->cur;
}
if ((cur[2] & 0xc0) != 0x80)
goto encoding_error; goto encoding_error;
if ((c & 0xf0) == 0xf0) { if ((c & 0xf0) == 0xf0) {
if (cur[3] == 0) {
xmlParserGrow(ctxt);
cur = ctxt->input->cur;
}
if (((c & 0xf8) != 0xf0) || if (((c & 0xf8) != 0xf0) ||
((cur[3] & 0xc0) != 0x80)) (avail < 4) || ((cur[3] & 0xc0) != 0x80))
goto encoding_error; goto encoding_error;
/* 4-byte code */ /* 4-byte code */
*len = 4; *len = 4;

61
parserInternals.c
View File

@@ -554,8 +554,11 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
return; return;
} }
if ((ctxt->input->cur >= ctxt->input->end) && (xmlParserGrow(ctxt) <= 0)) { if (ctxt->input->end - ctxt->input->cur < 4) {
return; if (xmlParserGrow(ctxt) < 0)
return;
if (ctxt->input->cur >= ctxt->input->end)
return;
} }
if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
@@ -588,30 +591,23 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
c = *cur; c = *cur;
if (c & 0x80) { if (c & 0x80) {
size_t avail;
if (c == 0xC0) if (c == 0xC0)
goto encoding_error; goto encoding_error;
if (cur[1] == 0) {
xmlParserGrow(ctxt); avail = ctxt->input->end - ctxt->input->cur;
cur = ctxt->input->cur;
} if ((avail < 2) || (cur[1] & 0xc0) != 0x80)
if ((cur[1] & 0xc0) != 0x80)
goto encoding_error; goto encoding_error;
if ((c & 0xe0) == 0xe0) { if ((c & 0xe0) == 0xe0) {
unsigned int val; unsigned int val;
if (cur[2] == 0) { if ((avail < 3) || (cur[2] & 0xc0) != 0x80)
xmlParserGrow(ctxt);
cur = ctxt->input->cur;
}
if ((cur[2] & 0xc0) != 0x80)
goto encoding_error; goto encoding_error;
if ((c & 0xf0) == 0xf0) { if ((c & 0xf0) == 0xf0) {
if (cur[3] == 0) {
xmlParserGrow(ctxt);
cur = ctxt->input->cur;
}
if (((c & 0xf8) != 0xf0) || if (((c & 0xf8) != 0xf0) ||
((cur[3] & 0xc0) != 0x80)) (avail < 4) || ((cur[3] & 0xc0) != 0x80))
goto encoding_error; goto encoding_error;
/* 4-byte code */ /* 4-byte code */
ctxt->input->cur += 4; ctxt->input->cur += 4;
@@ -652,8 +648,6 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
ctxt->input->col++; ctxt->input->col++;
ctxt->input->cur++; ctxt->input->cur++;
} }
if (*ctxt->input->cur == 0)
xmlParserGrow(ctxt);
return; return;
encoding_error: encoding_error:
/* /*
@@ -707,6 +701,10 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
return(0); return(0);
if ((ctxt->input->end - ctxt->input->cur < 4) &&
(xmlParserGrow(ctxt) < 0))
return(0);
if ((*ctxt->input->cur >= 0x20) && (*ctxt->input->cur <= 0x7F)) { if ((*ctxt->input->cur >= 0x20) && (*ctxt->input->cur <= 0x7F)) {
*len = 1; *len = 1;
return(*ctxt->input->cur); return(*ctxt->input->cur);
@@ -729,28 +727,21 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
c = *cur; c = *cur;
if (c & 0x80) { if (c & 0x80) {
size_t avail;
if (((c & 0x40) == 0) || (c == 0xC0)) if (((c & 0x40) == 0) || (c == 0xC0))
goto encoding_error; goto encoding_error;
if (cur[1] == 0) {
xmlParserGrow(ctxt); avail = ctxt->input->end - ctxt->input->cur;
cur = ctxt->input->cur;
} if ((avail < 2) || (cur[1] & 0xc0) != 0x80)
if ((cur[1] & 0xc0) != 0x80)
goto encoding_error; goto encoding_error;
if ((c & 0xe0) == 0xe0) { if ((c & 0xe0) == 0xe0) {
if (cur[2] == 0) { if ((avail < 3) || (cur[2] & 0xc0) != 0x80)
xmlParserGrow(ctxt);
cur = ctxt->input->cur;
}
if ((cur[2] & 0xc0) != 0x80)
goto encoding_error; goto encoding_error;
if ((c & 0xf0) == 0xf0) { if ((c & 0xf0) == 0xf0) {
if (cur[3] == 0) {
xmlParserGrow(ctxt);
cur = ctxt->input->cur;
}
if (((c & 0xf8) != 0xf0) || if (((c & 0xf8) != 0xf0) ||
((cur[3] & 0xc0) != 0x80)) (avail < 4) || ((cur[3] & 0xc0) != 0x80))
goto encoding_error; goto encoding_error;
/* 4-byte code */ /* 4-byte code */
*len = 4; *len = 4;
@@ -785,8 +776,6 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
} else { } else {
/* 1-byte code */ /* 1-byte code */
*len = 1; *len = 1;
if (*ctxt->input->cur == 0)
xmlParserGrow(ctxt);
if ((*ctxt->input->cur == 0) && if ((*ctxt->input->cur == 0) &&
(ctxt->input->end > ctxt->input->cur)) { (ctxt->input->end > ctxt->input->cur)) {
xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,