diff options
author | Pranjal Jumde <pjumde@apple.com> | 2016-03-01 11:34:04 -0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2016-05-23 15:01:07 +0800 |
commit | a820dbeac29d330bae4be05d9ecd939ad6b4aa33 (patch) | |
tree | 1f027e11ed873ef1b0535af7e98f8c5fa0e3d73a /result | |
parent | db07dd613e461df93dde7902c6505629bf0734e9 (diff) | |
download | libxml2-a820dbeac29d330bae4be05d9ecd939ad6b4aa33.tar.gz |
Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>CVE-2016-1839
Reviewed by David Kilzer.
* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure. Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.
Diffstat (limited to 'result')
-rw-r--r-- | result/HTML/758605.html | 3 | ||||
-rw-r--r-- | result/HTML/758605.html.err | 3 | ||||
-rw-r--r-- | result/HTML/758605.html.sax | 13 |
3 files changed, 19 insertions, 0 deletions
diff --git a/result/HTML/758605.html b/result/HTML/758605.html new file mode 100644 index 00000000..a085cce3 --- /dev/null +++ b/result/HTML/758605.html @@ -0,0 +1,3 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> +<html><body><p>& +</p></body></html> diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err new file mode 100644 index 00000000..2b82be66 --- /dev/null +++ b/result/HTML/758605.html.err @@ -0,0 +1,3 @@ +./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name +ê + ^ diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax new file mode 100644 index 00000000..1f5cd320 --- /dev/null +++ b/result/HTML/758605.html.sax @@ -0,0 +1,13 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.error: htmlParseEntityRef: no name +SAX.startElement(html) +SAX.startElement(body) +SAX.startElement(p) +SAX.characters(&, 1) +SAX.ignorableWhitespace( +, 1) +SAX.endElement(p) +SAX.endElement(body) +SAX.endElement(html) +SAX.endDocument() |