Fix sanity check in htmlParseNameComplex

- (cur - len) can overflow. - Throw an internal error. Fixes bug 780077.
2024-10-26 20:25:14 +03:00 · 2017-06-11 12:35:59 +02:00 · 2017-06-11 12:35:59 +02:00 · f39e3be0dd
commit f39e3be0dd
parent 79c8a6b105
1 changed files with 6 additions and 2 deletions
--- a/HTMLparser.c
+++ b/HTMLparser.c
@ -2528,8 +2528,12 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
 	}
    }

-    if (ctxt->input->base > ctxt->input->cur - len)
-	return(NULL);
+    if (ctxt->input->cur - ctxt->input->base < len) {
+        /* Sanity check */
+	htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR,
+                     "unexpected change of input buffer", NULL, NULL);
+        return (NULL);
+    }

    return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
 }