1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-13 20:58:16 +03:00

Fix quadratic runtime when parsing HTML script content

If htmlParseScript returns upon hitting an invalid character,
htmlParseLookupSequence will be called again with checkIndex reset to
zero, potentially resulting in quadratic runtime. Make sure that
htmlParseScript consumes all input in one go and simply skips over
invalid characters similar to htmlParseCharDataInternal.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2020-07-12 20:28:47 +02:00
parent d6761e706f
commit 500789224b

View File

@ -2928,7 +2928,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) {
SHRINK;
cur = CUR_CHAR(l);
while (IS_CHAR_CH(cur)) {
while (cur != 0) {
if ((cur == '<') && (NXT(1) == '/')) {
/*
* One should break here, the specification is clear:
@ -2959,7 +2959,12 @@ htmlParseScript(htmlParserCtxtPtr ctxt) {
}
}
}
COPY_BUF(l,buf,nbchar,cur);
if (IS_CHAR_CH(cur)) {
COPY_BUF(l,buf,nbchar,cur);
} else {
htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR,
"Invalid char in CDATA 0x%X\n", cur);
}
if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) {
buf[nbchar] = 0;
if (ctxt->sax->cdataBlock!= NULL) {
@ -2977,14 +2982,6 @@ htmlParseScript(htmlParserCtxtPtr ctxt) {
cur = CUR_CHAR(l);
}
if ((!(IS_CHAR_CH(cur))) && (!((cur == 0) && (ctxt->progressive)))) {
htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR,
"Invalid char in CDATA 0x%X\n", cur);
if (ctxt->input->cur < ctxt->input->end) {
NEXT;
}
}
if ((nbchar != 0) && (ctxt->sax != NULL) && (!ctxt->disableSAX)) {
buf[nbchar] = 0;
if (ctxt->sax->cdataBlock!= NULL) {