Commit 0bcd05c5 authored by Pranjal Jumde's avatar Pranjal Jumde Committed by Daniel Veillard

Heap-based buffer overread in htmlCurrentChar

For https://bugzilla.gnome.org/show_bug.cgi?id=758606

* parserInternals.c:
(xmlNextChar): Add an test to catch other issues on ctxt->input
corruption proactively.
For non-UTF-8 charsets, xmlNextChar() failed to check for the end
of the input buffer and would continuing reading.  Fix this by
pulling out the check for the end of the input buffer into common
code, and return if we reach the end of the input buffer
prematurely.
* result/HTML/758606.html: Added.
* result/HTML/758606.html.err: Added.
* result/HTML/758606.html.sax: Added.
* result/HTML/758606_2.html: Added.
* result/HTML/758606_2.html.err: Added.
* result/HTML/758606_2.html.sax: Added.
* test/HTML/758606.html: Added test case.
* test/HTML/758606_2.html: Added test case.
parent 00906759
......@@ -55,6 +55,10 @@
#include <libxml/globals.h>
#include <libxml/chvalid.h>
#define CUR(ctxt) ctxt->input->cur
#define END(ctxt) ctxt->input->end
#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
#include "buf.h"
#include "enc.h"
......@@ -422,18 +426,21 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
(ctxt->input == NULL))
return;
if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
if (!(VALID_CTXT(ctxt))) {
xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
ctxt->errNo = XML_ERR_INTERNAL_ERROR;
xmlStopParser(ctxt);
return;
}
if ((*ctxt->input->cur == 0) &&
(xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
(ctxt->instate != XML_PARSER_COMMENT)) {
/*
* If we are at the end of the current entity and
* the context allows it, we pop consumed entities
* automatically.
* the auto closing should be blocked in other cases
*/
(xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
if ((ctxt->instate != XML_PARSER_COMMENT))
xmlPopInput(ctxt);
} else {
return;
}
if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
const unsigned char *cur;
unsigned char c;
......@@ -518,7 +525,6 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
ctxt->nbChars++;
if (*ctxt->input->cur == 0)
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
}
} else {
/*
* Assume it's a fixed length encoding (1) with
......
./test/HTML/758606.html:1: HTML parser error : Comment not terminated
<!--
<!-- <!doctype
^
./test/HTML/758606.html:1: HTML parser error : Invalid char in CDATA 0xC
<!-- <!doctype
^
./test/HTML/758606.html:1: HTML parser error : Misplaced DOCTYPE declaration
<!-- <!doctype
^
./test/HTML/758606.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
^
./test/HTML/758606.html:2: HTML parser error : DOCTYPE improperly terminated
^
SAX.setDocumentLocator()
SAX.startDocument()
SAX.error: Comment not terminated
<!--
SAX.error: Invalid char in CDATA 0xC
SAX.error: Misplaced DOCTYPE declaration
SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
SAX.error: DOCTYPE improperly terminated
SAX.internalSubset((null), , )
SAX.endDocument()
<!DOCTYPE >
<html><body><p>&#145;</p></body></html>
./test/HTML/758606_2.html:1: HTML parser error : Comment not terminated
<!--
<!-- <!dOctYPE
^
./test/HTML/758606_2.html:1: HTML parser error : Invalid char in CDATA 0xC
<!-- <!dOctYPE
^
./test/HTML/758606_2.html:1: HTML parser error : Misplaced DOCTYPE declaration
‘<!dOctYPE
^
./test/HTML/758606_2.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
^
./test/HTML/758606_2.html:2: HTML parser error : DOCTYPE improperly terminated
^
SAX.setDocumentLocator()
SAX.startDocument()
SAX.error: Comment not terminated
<!--
SAX.error: Invalid char in CDATA 0xC
SAX.startElement(html)
SAX.startElement(body)
SAX.startElement(p)
SAX.characters(&#145;, 2)
SAX.error: Misplaced DOCTYPE declaration
SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
SAX.error: DOCTYPE improperly terminated
SAX.internalSubset((null), , )
SAX.endElement(p)
SAX.endElement(body)
SAX.endElement(html)
SAX.endDocument()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment