Commit 1358d157 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Fix use-after-free with `xmllint --html --push`

Call htmlCtxtUseOptions to make sure that names aren't stored in
dictionaries.

Note that this issue only affects xmllint using the HTML push parser.

Fixes #230.
parent fb08d9fe
Pipeline #276310 passed with stage
in 13 minutes and 36 seconds
......@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
if (res > 0) {
ctxt = htmlCreatePushParserCtxt(NULL, NULL,
chars, res, filename, XML_CHAR_ENCODING_NONE);
xmlCtxtUseOptions(ctxt, options);
htmlCtxtUseOptions(ctxt, options);
while ((res = fread(chars, 1, pushsize, f)) > 0) {
htmlParseChunk(ctxt, chars, res, 0);
}
......
  • mentioned in issue #235 (closed)

    Toggle commit list
  • @nwellnhof Hi,I recently ran into this issue on a historical version of libxml2 as well and was doing some root cause analysation work. But I don't understand enough about the way html is parsed, so I don't really understand the real cause of this vulnerability. Could please tell me why you patched the vulnerability like this?

  • @dhbbb I don't remember the exact details. Reading the commit message, it had something with storing element names in a dictionary. The XML parser does this by default and has an option XML_PARSE_NODICT to disable this behavior. The HTML parser never stores element names in dictionaries and htmlCtxtUseOptions sets ctxt->dictNames to 0. Anyway, mixing html* and xml* function calls is obviously wrong.

Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment