Fix buffer over-read in xmlParseNCNameComplex

Calling GROW can halt the parser if the buffer grows too large. This will set the buffer to an empty string. Return immediately in this case, otherwise the "current" pointer is advanced leading to a buffer over-read. Found with OSS-Fuzz. See https://oss-fuzz.com/testcase?key=6683819592646656 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031
2024-10-27 04:55:04 +03:00 · 2018-01-08 18:48:01 +01:00 · 2018-01-08 18:48:01 +01:00 · 132af1a0d1
commit 132af1a0d1
parent ad88b54f1a
1 changed files with 1 additions and 1 deletions
--- a/parser.c
+++ b/parser.c
@ -3370,9 +3370,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
 	     */
 	    ctxt->input->cur -= l;
 	    GROW;
-	    ctxt->input->cur += l;
            if (ctxt->instate == XML_PARSER_EOF)
                return(NULL);
+	    ctxt->input->cur += l;
 	    c = CUR_CHAR(l);
 	}
    }