On 08/01/2018 02:06, Joel Hockey wrote:
The entity parsing code in tree.c is getting integer overflow when a very long, invalid hex (or decimal) entity is used: e.g. #xabcdefabcdef;
This is probably the same issue as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
Also see
https://bugzilla.gnome.org/show_bug.cgi?id=783052
The issue only arises in "recovery" mode (XML_PARSE_RECOVER). In the past, I tried to fix similar issues by not adding nodes containing invalid character references at all in an earlier stage of the parsing code, but I'm fine with your approach.
For these cases, I am setting the error to XML_TREE_UNTERMINATED_ENTITY. The other 2 existing codes are XML_TREE_INVALID_HEX, XML_TREE_INVALID_DEC. I thought unterminated is the better choice, but maybe a new code such as XML_TREE_INVALID_CHAR could be used.
Regarding the error code, we could simply use XML_ERR_INVALID_CHAR or not report an error at all since invalid numeric character references are already detected and reported earlier.
Nick
Attachment:
0001-Check-hex-or-decimal-entity-for-overflow.patch
Description: Text Data