lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Code Activity

Fix uninitialized memory access in HTML parser

Browse Source 
The SAX2 character handler expects NULL-terminated buffer.

Closes #106.

Also see https://github.com/lxml/lxml/pull/288
This commit is contained in:
Nick Wellnhofer
2019-10-03 04:15:52 +02:00
parent 5eeb9d5fbb
commit f9f8df0a31
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
HTMLparser.c
View File

@@ -2961,6 +2961,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) {
} }
COPY_BUF(l,buf,nbchar,cur); COPY_BUF(l,buf,nbchar,cur);
if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) {
buf[nbchar] = 0;
if (ctxt->sax->cdataBlock!= NULL) { if (ctxt->sax->cdataBlock!= NULL) {
/* /*
* Insert as CDATA, which is the same as HTML_PRESERVE_NODE * Insert as CDATA, which is the same as HTML_PRESERVE_NODE
@@ -2985,6 +2986,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) {
} }
if ((nbchar != 0) && (ctxt->sax != NULL) && (!ctxt->disableSAX)) { if ((nbchar != 0) && (ctxt->sax != NULL) && (!ctxt->disableSAX)) {
buf[nbchar] = 0;
if (ctxt->sax->cdataBlock!= NULL) { if (ctxt->sax->cdataBlock!= NULL) {
/* /*
* Insert as CDATA, which is the same as HTML_PRESERVE_NODE * Insert as CDATA, which is the same as HTML_PRESERVE_NODE
@@ -3030,6 +3032,8 @@ htmlParseCharDataInternal(htmlParserCtxtPtr ctxt, int readahead) {
COPY_BUF(l,buf,nbchar,cur); COPY_BUF(l,buf,nbchar,cur);
} }
if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) {
buf[nbchar] = 0;
/* /*
* Ok the segment is to be consumed as chars. * Ok the segment is to be consumed as chars.
*/ */
@@ -5764,13 +5768,13 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
break; break;
} }
case XML_PARSER_CONTENT: { case XML_PARSER_CONTENT: {
xmlChar chr[2] = { 0, 0 };
long cons; long cons;
/* /*
* Handle preparsed entities and charRef * Handle preparsed entities and charRef
*/ */
if (ctxt->token != 0) { if (ctxt->token != 0) {
xmlChar chr[2] = { 0 , 0 } ;
chr[0] = (xmlChar) ctxt->token; chr[0] = (xmlChar) ctxt->token;
htmlCheckParagraph(ctxt); htmlCheckParagraph(ctxt);
if ((ctxt->sax != NULL) && (ctxt->sax->characters != NULL)) if ((ctxt->sax != NULL) && (ctxt->sax->characters != NULL))
@@ -5782,21 +5786,22 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
cur = in->cur[0]; cur = in->cur[0];
if ((cur != '<') && (cur != '&')) { if ((cur != '<') && (cur != '&')) {
if (ctxt->sax != NULL) { if (ctxt->sax != NULL) {
chr[0] = cur;
if (IS_BLANK_CH(cur)) { if (IS_BLANK_CH(cur)) {
if (ctxt->keepBlanks) { if (ctxt->keepBlanks) {
if (ctxt->sax->characters != NULL) if (ctxt->sax->characters != NULL)
ctxt->sax->characters( ctxt->sax->characters(
ctxt->userData, &in->cur[0], 1); ctxt->userData, chr, 1);
} else { } else {
if (ctxt->sax->ignorableWhitespace != NULL) if (ctxt->sax->ignorableWhitespace != NULL)
ctxt->sax->ignorableWhitespace( ctxt->sax->ignorableWhitespace(
ctxt->userData, &in->cur[0], 1); ctxt->userData, chr, 1);
} }
} else { } else {
htmlCheckParagraph(ctxt); htmlCheckParagraph(ctxt);
if (ctxt->sax->characters != NULL) if (ctxt->sax->characters != NULL)
ctxt->sax->characters( ctxt->sax->characters(
ctxt->userData, &in->cur[0], 1); ctxt->userData, chr, 1);
} }
} }
ctxt->token = 0; ctxt->token = 0;