GNOME.org
 

[libxml2] Fix infinite loops with push parser in recovery mode

commit 52ceced6e7038a6bff4960f3e5e729ed01448a41
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sat Jul 1 17:49:30 2017 +0200

    Fix infinite loops with push parser in recovery mode
    
    Make sure that the input pointer advances in case of errors. Otherwise,
    the push parser can loop infinitely.
    
    Found with libFuzzer.

 parser.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/parser.c b/parser.c
index cfc5b8e..6286cad 100644
--- a/parser.c
+++ b/parser.c
@@ -4421,7 +4421,7 @@ get_more:
            if (*in == ']') {
                if ((in[1] == ']') && (in[2] == '>')) {
                    xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL);
-                   ctxt->input->cur = in;
+                   ctxt->input->cur = in + 1;
                    return;
                }
                in++;
@@ -4574,7 +4574,7 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) {
            }
        }
     }
-    if ((cur != 0) && (!IS_CHAR(cur))) {
+    if ((ctxt->input->cur < ctxt->input->end) && (!IS_CHAR(cur))) {
        /* Generate the error and skip the offending character */
         xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
                           "PCDATA invalid Char value %d\n",
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]