Missing check for variable "in" in function xmlParseName of parser.c
There is a missing check vulnerability in function xmlParseName of parser.c
3280 const xmlChar *
3281 xmlParseName(xmlParserCtxtPtr ctxt) {
3282 const xmlChar *in;
3283 const xmlChar *ret;
3284 int count = 0;
…
3295 in = ctxt->input->cur;
3296 if (((*in >= 0x61) && (*in <= 0x7A)) ||
3297 ((*in >= 0x41) && (*in <= 0x5A)) ||
3298 (*in == '_') || (*in == ':')) {
3299 in++;
3300 while (((*in >= 0x61) && (*in <= 0x7A)) ||
3301 ((*in >= 0x41) && (*in <= 0x5A)) ||
3302 ((*in >= 0x30) && (*in <= 0x39)) ||
3303 (*in == '_') || (*in == '-') ||
3304 (*in == ':') || (*in == '.'))
3305 in++;
3306 if ((*in > 0) && (*in < 0x80)) {
3307 count = in - ctxt->input->cur;
3308 if ((count > XML_MAX_NAME_LENGTH) &&
3309 ((ctxt->options & XML_PARSE_HUGE) == 0)) {
3310 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
3311 return(NULL);
3312 }
Before line 3306, we should check variable in equals ctxt->input->end or not. If condition (in == ctxt->input->end) satisfies, the function should terminate and return Null.
The attachment is the proposal patch for the issue.0001-add-check-for-variable-in-for-xmlParseName.patch