diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2018-01-08 18:48:01 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2018-01-08 18:48:01 +0100 |
commit | 132af1a0d1e949ea0a488c31689f83c1dde7df7d (patch) | |
tree | 6bdfc12ed88c6feddc0ef518ea107ca459e23674 | |
parent | ad88b54f1a28a8565964a370b5d387927b633c0d (diff) | |
download | libxml2-132af1a0d1e949ea0a488c31689f83c1dde7df7d.tar.gz |
Fix buffer over-read in xmlParseNCNameComplex
Calling GROW can halt the parser if the buffer grows too large. This
will set the buffer to an empty string. Return immediately in this case,
otherwise the "current" pointer is advanced leading to a buffer over-read.
Found with OSS-Fuzz. See
https://oss-fuzz.com/testcase?key=6683819592646656
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031
-rw-r--r-- | parser.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { */ ctxt->input->cur -= l; GROW; - ctxt->input->cur += l; if (ctxt->instate == XML_PARSER_EOF) return(NULL); + ctxt->input->cur += l; c = CUR_CHAR(l); } } |