Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>CVE-2016-1839

Reviewed by David Kilzer.

* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure.  Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.

3 files changed, 19 insertions, 0 deletions

diff --git a/result/HTML/758605.html b/result/HTML/758605.html
new file mode 100644
index 00000000..a085cce3
--- /dev/null
+++ b/result/HTML/758605.html
@@ -0,0 +1,3 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html><body><p>&amp;
+</p></body></html>
diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err
new file mode 100644
index 00000000..2b82be66
--- /dev/null
+++ b/result/HTML/758605.html.err
@@ -0,0 +1,3 @@
+./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name
+ê
+  ^
diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax
new file mode 100644
index 00000000..1f5cd320
--- /dev/null
+++ b/result/HTML/758605.html.sax
@@ -0,0 +1,13 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.error: htmlParseEntityRef: no name
+SAX.startElement(html)
+SAX.startElement(body)
+SAX.startElement(p)
+SAX.characters(&amp;, 1)
+SAX.ignorableWhitespace(
+, 1)
+SAX.endElement(p)
+SAX.endElement(body)
+SAX.endElement(html)
+SAX.endDocument()