[libxml2] Clear entity content in case of errors
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Clear entity content in case of errors
- Date: Mon, 22 Jan 2018 15:31:11 +0000 (UTC)
commit 60dded12cbf1705927803c5ed615a7a0132aebbd
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Mon Jan 22 15:04:58 2018 +0100
Clear entity content in case of errors
This only affects recovery mode and avoids integer overflow in
xmlStringGetNodeList and possibly other nasty surprises.
See bug 783052 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
https://bugs.chromium.org/p/chromium/issues/detail?id=796804
parser.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
---
diff --git a/parser.c b/parser.c
index afc4cb1..d1ce8b5 100644
--- a/parser.c
+++ b/parser.c
@@ -149,7 +149,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
- if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
+ if (rep == NULL) {
ent->content[0] = 0;
}
@@ -7189,6 +7189,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
(ret != XML_WAR_UNDECLARED_ENTITY)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
"Entity '%s' failed to parse\n", ent->name);
+ if (ent->content != NULL)
+ ent->content[0] = 0;
xmlParserEntityCheck(ctxt, 0, ent, 0);
} else if (list != NULL) {
xmlFreeNodeList(list);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
