diff options
| author | David Kilzer <ddkilzer@apple.com> | 2016-01-26 16:57:03 -0800 |
|---|---|---|
| committer | Daniel Veillard <veillard@redhat.com> | 2016-05-23 15:01:07 +0800 |
| commit | 00906759053986b8079985644172085f74331f83 (patch) | |
| tree | 601118b023e44bb4d09a25bd36c7e59c9655113f /parser.c | |
| parent | 38eae571111db3b43ffdeb05487c9f60551906fb (diff) | |
| download | libxml2-00906759053986b8079985644172085f74331f83.tar.gz | |
Heap-based buffer-underreads due to xmlParseName
For https://bugzilla.gnome.org/show_bug.cgi?id=759573
* parser.c:
(xmlParseElementDecl): Return early on invalid input to fix
non-minimized test case (759573-2.xml). Otherwise the parser
gets into a bad state in SKIP(3) at the end of the function.
(xmlParseConditionalSections): Halt parsing when hitting invalid
input that would otherwise caused xmlParserHandlePEReference()
to recurse unexpectedly. This fixes the minimized test case
(759573.xml).
* result/errors/759573-2.xml: Add.
* result/errors/759573-2.xml.err: Add.
* result/errors/759573-2.xml.str: Add.
* result/errors/759573.xml: Add.
* result/errors/759573.xml.err: Add.
* result/errors/759573.xml.str: Add.
* test/errors/759573-2.xml: Add.
* test/errors/759573.xml: Add.
Diffstat (limited to 'parser.c')
| -rw-r--r-- | parser.c | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -6708,6 +6708,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) { if (!IS_BLANK_CH(CUR)) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Space required after 'ELEMENT'\n"); + return(-1); } SKIP_BLANKS; name = xmlParseName(ctxt); @@ -6859,6 +6860,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); + xmlHaltParser(ctxt); break; } } |