shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-20 18:50:08 +03:00
Code

Fix more quadratic runtime issues in HTML push parser

Browse Source 
Make sure that checkIndex is set when returning without match from
inside a comment. Also track parser state in htmlParseLookupChars.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2020-07-09 16:08:38 +02:00
parent 741b0d0a8b
commit 3da8d947df
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
HTMLparser.c
View File

@ -5205,7 +5205,7 @@ htmlParseLookupSequence(htmlParserCtxtPtr ctxt, xmlChar first,
}
if (incomment) {
if (base + 3 > len)
return (-1);
break;
if ((buf[base] == '-') && (buf[base + 1] == '-') &&
(buf[base + 2] == '>')) {
incomment = 0;
@ -5294,8 +5294,11 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
if (base < 0)
return (-1);
if (ctxt->checkIndex > base)
if (ctxt->checkIndex > base) {
base = ctxt->checkIndex;
/* Abuse hasPErefs member to restore current state. */
incomment = ctxt->hasPErefs & 1 ? 1 : 0;
}
if (in->buf == NULL) {
buf = in->base;
@ -5316,7 +5319,7 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
}
if (incomment) {
if (base + 3 > len)
return (-1);
break;
if ((buf[base] == '-') && (buf[base + 1] == '-') &&
(buf[base + 2] == '>')) {
incomment = 0;
@ -5332,6 +5335,8 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
}
}
ctxt->checkIndex = base;
/* Abuse hasPErefs member to track current state. */
ctxt->hasPErefs = incomment;
return (-1);
}