From f39e3be0dd9b3aa3ec47ff339b4934c16f6e5156 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 11 Jun 2017 12:35:59 +0200
Subject: [PATCH] Fix sanity check in htmlParseNameComplex

- (cur - len) can overflow.
- Throw an internal error.

Fixes bug 780077.
---
 HTMLparser.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index d1395fa5..3198afa2 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -2528,8 +2528,12 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
 	}
     }
 
-    if (ctxt->input->base > ctxt->input->cur - len)
-	return(NULL);
+    if (ctxt->input->cur - ctxt->input->base < len) {
+        /* Sanity check */
+	htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR,
+                     "unexpected change of input buffer", NULL, NULL);
+        return (NULL);
+    }
 
     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
 }