lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Fix parsing short unclosed comment uninitialized access

Browse Source 
For https://bugzilla.gnome.org/show_bug.cgi?id=746048
The HTML parser was too optimistic when processing comments and
didn't check for the end of the stream on the first 2 characters
This commit is contained in:
Daniel Veillard
2015-10-30 21:14:55 +08:00
parent 41ac9049a2
commit e724879d96
1 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
HTMLparser.c
View File

@@ -3264,12 +3264,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
ctxt->instate = state;
return;
}
len = 0;
buf[len] = 0;
q = CUR_CHAR(ql);
if (!IS_CHAR(q))
goto unfinished;
NEXTL(ql);
r = CUR_CHAR(rl);
if (!IS_CHAR(r))
goto unfinished;
NEXTL(rl);
cur = CUR_CHAR(l);
len = 0;
while (IS_CHAR(cur) &&
((cur != '>') ||
(r != '-') || (q != '-'))) {
@@ -3300,18 +3305,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
}
}
buf[len] = 0;
if (!IS_CHAR(cur)) {
htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
"Comment not terminated \n<!--%.50s\n", buf, NULL);
xmlFree(buf);
} else {
if (IS_CHAR(cur)) {
NEXT;
if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
(!ctxt->disableSAX))
ctxt->sax->comment(ctxt->userData, buf);
xmlFree(buf);
ctxt->instate = state;
return;
}
ctxt->instate = state;
unfinished:
htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
"Comment not terminated \n<!--%.50s\n", buf, NULL);
xmlFree(buf);
}
/**