Commit 52ceced6 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Fix infinite loops with push parser in recovery mode

Make sure that the input pointer advances in case of errors. Otherwise,
the push parser can loop infinitely.

Found with libFuzzer.
parent f435365b
...@@ -4421,7 +4421,7 @@ get_more: ...@@ -4421,7 +4421,7 @@ get_more:
if (*in == ']') { if (*in == ']') {
if ((in[1] == ']') && (in[2] == '>')) { if ((in[1] == ']') && (in[2] == '>')) {
xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL); xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL);
ctxt->input->cur = in; ctxt->input->cur = in + 1;
return; return;
} }
in++; in++;
...@@ -4574,7 +4574,7 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) { ...@@ -4574,7 +4574,7 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) {
} }
} }
} }
if ((cur != 0) && (!IS_CHAR(cur))) { if ((ctxt->input->cur < ctxt->input->end) && (!IS_CHAR(cur))) {
/* Generate the error and skip the offending character */ /* Generate the error and skip the offending character */
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR, xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
"PCDATA invalid Char value %d\n", "PCDATA invalid Char value %d\n",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment