Fix buffer over-read in xmlParseNCNameComplex

Calling GROW can halt the parser if the buffer grows too large. This will set the buffer to an empty string. Return immediately in this case, otherwise the "current" pointer is advanced leading to a buffer over-read. Found with OSS-Fuzz. See https://oss-fuzz.com/testcase?key=6683819592646656 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031
author: Nick Wellnhofer <wellnhofer@aevum.de> 2018-01-08 18:48:01 +0100
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2018-01-08 18:48:01 +0100
commit: 132af1a0d1e949ea0a488c31689f83c1dde7df7d (patch)
tree: 6bdfc12ed88c6feddc0ef518ea107ca459e23674
parent: ad88b54f1a28a8565964a370b5d387927b633c0d (diff)
download: libxml2-132af1a0d1e949ea0a488c31689f83c1dde7df7d.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/parser.c b/parser.c
index a30dd18e..afc4cb15 100644
--- a/parser.c
+++ b/parser.c
@@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
 	     */
 	    ctxt->input->cur -= l;
 	    GROW;
-	    ctxt->input->cur += l;
             if (ctxt->instate == XML_PARSER_EOF)
                 return(NULL);
+	    ctxt->input->cur += l;
 	    c = CUR_CHAR(l);
 	}
     }
author	Nick Wellnhofer <wellnhofer@aevum.de>	2018-01-08 18:48:01 +0100
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2018-01-08 18:48:01 +0100
commit	132af1a0d1e949ea0a488c31689f83c1dde7df7d (patch)
tree	6bdfc12ed88c6feddc0ef518ea107ca459e23674
parent	ad88b54f1a28a8565964a370b5d387927b633c0d (diff)
download	libxml2-132af1a0d1e949ea0a488c31689f83c1dde7df7d.tar.gz