[libxml2] Fix sanity check in htmlParseNameComplex
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix sanity check in htmlParseNameComplex
- Date: Sun, 11 Jun 2017 15:04:52 +0000 (UTC)
commit f39e3be0dd9b3aa3ec47ff339b4934c16f6e5156
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Sun Jun 11 12:35:59 2017 +0200
Fix sanity check in htmlParseNameComplex
- (cur - len) can overflow.
- Throw an internal error.
Fixes bug 780077.
HTMLparser.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index d1395fa..3198afa 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -2528,8 +2528,12 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
}
}
- if (ctxt->input->base > ctxt->input->cur - len)
- return(NULL);
+ if (ctxt->input->cur - ctxt->input->base < len) {
+ /* Sanity check */
+ htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "unexpected change of input buffer", NULL, NULL);
+ return (NULL);
+ }
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
