Commit a820dbea authored by Pranjal Jumde's avatar Pranjal Jumde Committed by Daniel Veillard

Bug 758605: Heap-based buffer overread in xmlDictAddString...

Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>

Reviewed by David Kilzer.

* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure.  Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.
parent db07dd61
...@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { ...@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
(*in == '_') || (*in == '-') || (*in == '_') || (*in == '-') ||
(*in == ':') || (*in == '.')) (*in == ':') || (*in == '.'))
in++; in++;
if (in == ctxt->input->end)
return(NULL);
if ((*in > 0) && (*in < 0x80)) { if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur; count = in - ctxt->input->cur;
ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
...@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { ...@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
NEXTL(l); NEXTL(l);
c = CUR_CHAR(l); c = CUR_CHAR(l);
} }
if (ctxt->input->base > ctxt->input->cur - len)
return(NULL);
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
} }
......
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>&amp;
</p></body></html>
./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name
ê
^
SAX.setDocumentLocator()
SAX.startDocument()
SAX.error: htmlParseEntityRef: no name
SAX.startElement(html)
SAX.startElement(body)
SAX.startElement(p)
SAX.characters(&amp;, 1)
SAX.ignorableWhitespace(
, 1)
SAX.endElement(p)
SAX.endElement(body)
SAX.endElement(html)
SAX.endDocument()
...@@ -1873,7 +1873,7 @@ pushParseTest(const char *filename, const char *result, ...@@ -1873,7 +1873,7 @@ pushParseTest(const char *filename, const char *result,
ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
xmlCtxtUseOptions(ctxt, options); xmlCtxtUseOptions(ctxt, options);
cur += 4; cur += 4;
while (cur < size) { do {
if (cur + 1024 >= size) { if (cur + 1024 >= size) {
#ifdef LIBXML_HTML_ENABLED #ifdef LIBXML_HTML_ENABLED
if (options & XML_PARSE_HTML) if (options & XML_PARSE_HTML)
...@@ -1891,7 +1891,7 @@ pushParseTest(const char *filename, const char *result, ...@@ -1891,7 +1891,7 @@ pushParseTest(const char *filename, const char *result,
xmlParseChunk(ctxt, base + cur, 1024, 0); xmlParseChunk(ctxt, base + cur, 1024, 0);
cur += 1024; cur += 1024;
} }
} } while (cur < size);
doc = ctxt->myDoc; doc = ctxt->myDoc;
#ifdef LIBXML_HTML_ENABLED #ifdef LIBXML_HTML_ENABLED
if (options & XML_PARSE_HTML) if (options & XML_PARSE_HTML)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment