[libxml2] Fix more quadratic runtime issues in HTML push parser
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix more quadratic runtime issues in HTML push parser
- Date: Thu, 9 Jul 2020 14:16:38 +0000 (UTC)
commit 3da8d947df1f84e54b12145ca2cfa1ff6456f532
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Thu Jul 9 16:08:38 2020 +0200
Fix more quadratic runtime issues in HTML push parser
Make sure that checkIndex is set when returning without match from
inside a comment. Also track parser state in htmlParseLookupChars.
Found by OSS-Fuzz.
HTMLparser.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index 366c19b3..9b12dd1f 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -5205,7 +5205,7 @@ htmlParseLookupSequence(htmlParserCtxtPtr ctxt, xmlChar first,
}
if (incomment) {
if (base + 3 > len)
- return (-1);
+ break;
if ((buf[base] == '-') && (buf[base + 1] == '-') &&
(buf[base + 2] == '>')) {
incomment = 0;
@@ -5294,8 +5294,11 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
if (base < 0)
return (-1);
- if (ctxt->checkIndex > base)
+ if (ctxt->checkIndex > base) {
base = ctxt->checkIndex;
+ /* Abuse hasPErefs member to restore current state. */
+ incomment = ctxt->hasPErefs & 1 ? 1 : 0;
+ }
if (in->buf == NULL) {
buf = in->base;
@@ -5316,7 +5319,7 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
}
if (incomment) {
if (base + 3 > len)
- return (-1);
+ break;
if ((buf[base] == '-') && (buf[base + 1] == '-') &&
(buf[base + 2] == '>')) {
incomment = 0;
@@ -5332,6 +5335,8 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
}
}
ctxt->checkIndex = base;
+ /* Abuse hasPErefs member to track current state. */
+ ctxt->hasPErefs = incomment;
return (-1);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
