[libxml2] Reset HTML parser input before reporting error

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 3f18e7486d5feb8ae41911ce3c122e05641a4c3d
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sat Jul 11 14:34:57 2020 +0200

    Reset HTML parser input before reporting error
    
    Avoid use-after-free, similar to 13ba5b61. Also make sure that
    xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.
    
    Found by OSS-Fuzz.

 HTMLparser.c | 2 +-
 buf.c        | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index 9b12dd1f..1dea7947 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
        int res;
 
        res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
        if (res < 0) {
            ctxt->errNo = XML_PARSER_EOF;
            ctxt->disableSAX = 1;
            return (XML_PARSER_EOF);
        }
-        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
 #ifdef DEBUG_PUSH
        xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size);
 #endif
diff --git a/buf.c b/buf.c
index 8ad18a1e..24368d37 100644
--- a/buf.c
+++ b/buf.c
@@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) {
 int
 xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
                       size_t base, size_t cur) {
-    if ((input == NULL) || (buf == NULL) || (buf->error))
+    if (input == NULL)
+        return(-1);
+    if ((buf == NULL) || (buf->error)) {
+        input->base = input->cur = input->end = BAD_CAST "";
         return(-1);
+    }
     CHECK_COMPAT(buf)
     input->base = &buf->content[base];
     input->cur = input->base + cur;