shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-13 20:58:16 +03:00
Code

Reset HTML parser input before reporting error

Browse Source 
Avoid use-after-free, similar to 13ba5b61. Also make sure that
xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2020-07-11 14:34:57 +02:00
parent 3da8d947df
commit 3f18e7486d
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
HTMLparser.c
View File

@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
int res;
res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
if (res < 0) {
ctxt->errNo = XML_PARSER_EOF;
ctxt->disableSAX = 1;
return (XML_PARSER_EOF);
}
xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
#ifdef DEBUG_PUSH
xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size);
#endif

6
buf.c
View File

@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) {
int
xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
size_t base, size_t cur) {
if ((input == NULL) || (buf == NULL) || (buf->error))
if (input == NULL)
return(-1);
if ((buf == NULL) || (buf->error)) {
input->base = input->cur = input->end = BAD_CAST "";
return(-1);
}
CHECK_COMPAT(buf)
input->base = &buf->content[base];
input->cur = input->base + cur;