diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2020-07-11 14:34:57 +0200 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2020-07-11 14:39:52 +0200 |
| commit | 3f18e7486d5feb8ae41911ce3c122e05641a4c3d (patch) | |
| tree | 8646297eace13dfc08bcfffd927ab0a240d3681d /HTMLparser.c | |
| parent | 3da8d947df1f84e54b12145ca2cfa1ff6456f532 (diff) | |
| download | libxml2-3f18e7486d5feb8ae41911ce3c122e05641a4c3d.tar.gz | |
Reset HTML parser input before reporting error
Avoid use-after-free, similar to 13ba5b61. Also make sure that
xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.
Found by OSS-Fuzz.
Diffstat (limited to 'HTMLparser.c')
| -rw-r--r-- | HTMLparser.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/HTMLparser.c b/HTMLparser.c index 9b12dd1f..1dea7947 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size, int res; res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); + xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); if (res < 0) { ctxt->errNo = XML_PARSER_EOF; ctxt->disableSAX = 1; return (XML_PARSER_EOF); } - xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); #ifdef DEBUG_PUSH xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size); #endif |