shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-01-15 23:24:06 +03:00
Code

parser: Add overflow checks to xmlParseLookup functions

Browse Source 
Short-lived regression found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2022-11-21 18:29:54 +01:00
parent d7e698fca8
commit bfc55d6884
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
parser.c
View File

@ -11083,14 +11083,17 @@ xmlParseExtParsedEnt(xmlParserCtxtPtr ctxt) {
static int
xmlParseLookupChar(xmlParserCtxtPtr ctxt, int c) {
const xmlChar *cur;
const xmlChar *end = ctxt->input->end;
if (ctxt->checkIndex == 0) {
cur = ctxt->input->cur + 1;
} else {
cur = ctxt->input->cur + ctxt->checkIndex;
}
if (cur >= end)
return(0);
if (memchr(cur, c, ctxt->input->end - cur) == NULL) {
if (memchr(cur, c, end - cur) == NULL) {
ctxt->checkIndex = ctxt->input->end - ctxt->input->cur;
return(0);
} else {
@ -11112,17 +11115,18 @@ static const xmlChar *
xmlParseLookupString(xmlParserCtxtPtr ctxt, size_t startDelta,
const char *str, size_t strLen) {
const xmlChar *cur, *term;
const xmlChar *end = ctxt->input->end;
if (ctxt->checkIndex == 0) {
cur = ctxt->input->cur + startDelta;
} else {
cur = ctxt->input->cur + ctxt->checkIndex;
}
if (cur >= end)
return(0);
term = BAD_CAST strstr((const char *) cur, str);
if (term == NULL) {
const xmlChar *end = ctxt->input->end;
/* Rescan (strLen - 1) characters. */
if ((size_t) (end - cur) < strLen)
end = cur;