shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-13 20:58:16 +03:00
Code

Fix infinite loops with push parser in recovery mode

Browse Source 
Make sure that the input pointer advances in case of errors. Otherwise,
the push parser can loop infinitely.

Found with libFuzzer.
This commit is contained in:
Nick Wellnhofer 2017-07-01 17:49:30 +02:00
parent f435365b59
commit 52ceced6e7
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
parser.c
View File

@ -4421,7 +4421,7 @@ get_more:
if (*in == ']') {
if ((in[1] == ']') && (in[2] == '>')) {
xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL);
ctxt->input->cur = in;
ctxt->input->cur = in + 1;
return;
}
in++;
@ -4574,7 +4574,7 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) {
}
}
}
if ((cur != 0) && (!IS_CHAR(cur))) {
if ((ctxt->input->cur < ctxt->input->end) && (!IS_CHAR(cur))) {
/* Generate the error and skip the offending character */
xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR,
"PCDATA invalid Char value %d\n",