mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-12-27 03:21:26 +03:00
malloc-fail: Fix erroneous report in xmlStringGetNodeList
The parser can produce invalid attribute content in recovery mode. Unless this is fixed, xmlStringGetNodeList should ignore such errors silently.
This commit is contained in:
parent
c8f1f4a280
commit
c49572e57d
35
tree.c
35
tree.c
@ -1210,6 +1210,16 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
|
||||
xmlEntityPtr ent;
|
||||
xmlBufPtr buf;
|
||||
|
||||
/*
|
||||
* This function should only receive valid attribute values that
|
||||
* were checked by the parser, typically by xmlParseAttValueComplex
|
||||
* calling xmlStringDecodeEntities.
|
||||
*
|
||||
* In recovery mode, the parser can produce invalid attribute
|
||||
* values. For now, we ignore any errors silently. If this is fixed,
|
||||
* we could add assertions here to catch parser issues.
|
||||
*/
|
||||
|
||||
if (value == NULL) return(NULL);
|
||||
cur = value;
|
||||
end = cur + len;
|
||||
@ -1239,16 +1249,6 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
|
||||
else
|
||||
tmp = 0;
|
||||
while (tmp != ';') { /* Non input consuming loop */
|
||||
/*
|
||||
* If you find an integer overflow here when fuzzing,
|
||||
* the bug is probably elsewhere. This function should
|
||||
* only receive entities that were already validated by
|
||||
* the parser, typically by xmlParseAttValueComplex
|
||||
* calling xmlStringDecodeEntities.
|
||||
*
|
||||
* So it's better *not* to check for overflow to
|
||||
* potentially discover new bugs.
|
||||
*/
|
||||
if ((tmp >= '0') && (tmp <= '9'))
|
||||
charval = charval * 16 + (tmp - '0');
|
||||
else if ((tmp >= 'a') && (tmp <= 'f'))
|
||||
@ -1299,7 +1299,7 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
|
||||
q = cur;
|
||||
while ((cur < end) && (*cur != 0) && (*cur != ';')) cur++;
|
||||
if ((cur >= end) || (*cur == 0))
|
||||
goto out;
|
||||
break;
|
||||
if (cur != q) {
|
||||
/*
|
||||
* Predefined entities don't generate nodes
|
||||
@ -1443,6 +1443,16 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||
xmlEntityPtr ent;
|
||||
xmlBufPtr buf;
|
||||
|
||||
/*
|
||||
* This function should only receive valid attribute values that
|
||||
* were checked by the parser, typically by xmlParseAttValueComplex
|
||||
* calling xmlStringDecodeEntities.
|
||||
*
|
||||
* In recovery mode, the parser can produce invalid attribute
|
||||
* values. For now, we ignore any errors silently. If this is fixed,
|
||||
* we could add assertions here to catch parser issues.
|
||||
*/
|
||||
|
||||
if (value == NULL) return(NULL);
|
||||
|
||||
buf = xmlBufCreateSize(0);
|
||||
@ -1467,7 +1477,6 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||
cur += 3;
|
||||
tmp = *cur;
|
||||
while (tmp != ';') { /* Non input consuming loop */
|
||||
/* Don't check for integer overflow, see above. */
|
||||
if ((tmp >= '0') && (tmp <= '9'))
|
||||
charval = charval * 16 + (tmp - '0');
|
||||
else if ((tmp >= 'a') && (tmp <= 'f'))
|
||||
@ -1509,7 +1518,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
|
||||
q = cur;
|
||||
while ((*cur != 0) && (*cur != ';')) cur++;
|
||||
if (*cur == 0)
|
||||
goto out;
|
||||
break;
|
||||
if (cur != q) {
|
||||
/*
|
||||
* Predefined entities don't generate nodes
|
||||
|
Loading…
Reference in New Issue
Block a user