[libxml2] Fix buffer over-read in xmlParseNCNameComplex

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix buffer over-read in xmlParseNCNameComplex
Date: Mon, 8 Jan 2018 18:31:19 +0000 (UTC)

commit 132af1a0d1e949ea0a488c31689f83c1dde7df7d
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon Jan 8 18:48:01 2018 +0100

    Fix buffer over-read in xmlParseNCNameComplex
    
    Calling GROW can halt the parser if the buffer grows too large. This
    will set the buffer to an empty string. Return immediately in this case,
    otherwise the "current" pointer is advanced leading to a buffer over-read.
    
    Found with OSS-Fuzz. See
    
    https://oss-fuzz.com/testcase?key=6683819592646656
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031

 parser.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/parser.c b/parser.c
index a30dd18..afc4cb1 100644
--- a/parser.c
+++ b/parser.c
@@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
             */
            ctxt->input->cur -= l;
            GROW;
-           ctxt->input->cur += l;
             if (ctxt->instate == XML_PARSER_EOF)
                 return(NULL);
+           ctxt->input->cur += l;
            c = CUR_CHAR(l);
        }
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]