Re: [xml] [PATCH] Check hex or decimal entity for overflow



Hi Nick, is patch ok to submit now?  Let me know if you need any changes.

On Tue, Jan 9, 2018 at 10:55 AM, Joel Hockey <joelhockey chromium org> wrote:
Updated patch with XML_ERR_INVALID_CHAR.

On Tue, Jan 9, 2018 at 5:55 AM, Nick Wellnhofer <wellnhofer aevum de> wrote:
On 08/01/2018 02:06, Joel Hockey wrote:
The entity parsing code in tree.c is getting integer overflow when a very long, invalid hex (or decimal) entity is used:  e.g. #xabcdefabcdef;

This is probably the same issue as

    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874

Also see

    https://bugzilla.gnome.org/show_bug.cgi?id=783052

The issue only arises in "recovery" mode (XML_PARSE_RECOVER). In the past, I tried to fix similar issues by not adding nodes containing invalid character references at all in an earlier stage of the parsing code, but I'm fine with your approach.

For these cases, I am setting the error to XML_TREE_UNTERMINATED_ENTITY.  The other 2 existing codes are XML_TREE_INVALID_HEX, XML_TREE_INVALID_DEC.  I thought unterminated is the better choice, but maybe a new code such as XML_TREE_INVALID_CHAR could be used.

Regarding the error code, we could simply use XML_ERR_INVALID_CHAR or not report an error at all since invalid numeric character references are already detected and reported earlier.

Nick




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]