Commit 132af1a0 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Fix buffer over-read in xmlParseNCNameComplex

Calling GROW can halt the parser if the buffer grows too large. This
will set the buffer to an empty string. Return immediately in this case,
otherwise the "current" pointer is advanced leading to a buffer over-read.

Found with OSS-Fuzz. See

https://oss-fuzz.com/testcase?key=6683819592646656
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031
parent ad88b54f
...@@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { ...@@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
*/ */
ctxt->input->cur -= l; ctxt->input->cur -= l;
GROW; GROW;
ctxt->input->cur += l;
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
return(NULL); return(NULL);
ctxt->input->cur += l;
c = CUR_CHAR(l); c = CUR_CHAR(l);
} }
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment