Re: [xml] [PATCH] Check hex or decimal entity for overflow
- From: Nick Wellnhofer <wellnhofer aevum de>
- To: Joel Hockey <joelhockey chromium org>, xml gnome org
- Subject: Re: [xml] [PATCH] Check hex or decimal entity for overflow
- Date: Mon, 8 Jan 2018 19:55:46 +0100
On 08/01/2018 02:06, Joel Hockey wrote:
The entity parsing code in tree.c is getting integer overflow when a very
long, invalid hex (or decimal) entity is used: e.g. #xabcdefabcdef;
This is probably the same issue as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
Also see
https://bugzilla.gnome.org/show_bug.cgi?id=783052
The issue only arises in "recovery" mode (XML_PARSE_RECOVER). In the past, I
tried to fix similar issues by not adding nodes containing invalid character
references at all in an earlier stage of the parsing code, but I'm fine with
your approach.
For these cases, I am setting the error to XML_TREE_UNTERMINATED_ENTITY. The
other 2 existing codes are XML_TREE_INVALID_HEX, XML_TREE_INVALID_DEC. I
thought unterminated is the better choice, but maybe a new code such as
XML_TREE_INVALID_CHAR could be used.
Regarding the error code, we could simply use XML_ERR_INVALID_CHAR or not
report an error at all since invalid numeric character references are already
detected and reported earlier.
Nick
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
