[glib/markup-cve-fixes-2-56: 2/2] gmarkup: Fix crash in error handling path for closing elements
- From: Iain Lane <iainl src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/markup-cve-fixes-2-56: 2/2] gmarkup: Fix crash in error handling path for closing elements
- Date: Wed, 12 Sep 2018 11:54:54 +0000 (UTC)
commit c008d2c43628ae4bfdbba35715228904d2bc998e
Author: Philip Withnall <withnall endlessm com>
Date: Mon Jul 30 18:33:39 2018 +0100
gmarkup: Fix crash in error handling path for closing elements
If something which looks like a closing tag is left unfinished, but
isn’t paired to an opening tag in the document, the error handling code
would do a null pointer dereference. Avoid that, at the cost of
introducing a new translatable error message.
Includes a test case, courtesy of pdknsk.
Signed-off-by: Philip Withnall <withnall endlessm com>
https://gitlab.gnome.org/GNOME/glib/issues/1461
(cherry picked from commit fccef3cc822af74699cca84cd202719ae61ca3b9)
glib/gmarkup.c | 11 ++++++++---
glib/tests/Makefile.am | 1 +
glib/tests/markups/fail-51.expected | 1 +
glib/tests/markups/fail-51.gmarkup | 1 +
4 files changed, 11 insertions(+), 3 deletions(-)
---
diff --git a/glib/gmarkup.c b/glib/gmarkup.c
index fd3a11c52..d0b4823a9 100644
--- a/glib/gmarkup.c
+++ b/glib/gmarkup.c
@@ -1844,9 +1844,14 @@ g_markup_parse_context_end_parse (GMarkupParseContext *context,
case STATE_AFTER_CLOSE_TAG_SLASH:
case STATE_INSIDE_CLOSE_TAG_NAME:
case STATE_AFTER_CLOSE_TAG_NAME:
- set_error (context, error, G_MARKUP_ERROR_PARSE,
- _("Document ended unexpectedly inside the close tag for "
- "element '%s'"), current_element (context));
+ if (context->tag_stack != NULL)
+ set_error (context, error, G_MARKUP_ERROR_PARSE,
+ _("Document ended unexpectedly inside the close tag for "
+ "element '%s'"), current_element (context));
+ else
+ set_error (context, error, G_MARKUP_ERROR_PARSE,
+ _("Document ended unexpectedly inside the close tag for an "
+ "unopened element"));
break;
case STATE_INSIDE_PASSTHROUGH:
diff --git a/glib/tests/Makefile.am b/glib/tests/Makefile.am
index d119fd974..4c8028b89 100644
--- a/glib/tests/Makefile.am
+++ b/glib/tests/Makefile.am
@@ -156,6 +156,7 @@ markup_tests = \
fail-36 fail-37 fail-38 fail-39 fail-40 \
fail-41 fail-42 fail-43 fail-44 fail-45 \
fail-46 fail-47 fail-48 fail-49 fail-50 \
+ fail-51 \
valid-1 valid-2 valid-3 valid-4 valid-5 \
valid-6 valid-7 valid-8 valid-9 valid-10 \
valid-11 valid-12 valid-13 valid-14 valid-15 \
diff --git a/glib/tests/markups/fail-51.expected b/glib/tests/markups/fail-51.expected
new file mode 100644
index 000000000..1c7e8d47a
--- /dev/null
+++ b/glib/tests/markups/fail-51.expected
@@ -0,0 +1 @@
+ERROR Error on line 1 char 5: Document ended unexpectedly inside the close tag for an unopened element
diff --git a/glib/tests/markups/fail-51.gmarkup b/glib/tests/markups/fail-51.gmarkup
new file mode 100644
index 000000000..860e1e6b5
--- /dev/null
+++ b/glib/tests/markups/fail-51.gmarkup
@@ -0,0 +1 @@
+</0<
\ No newline at end of file
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]