From 3f18e7486d5feb8ae41911ce3c122e05641a4c3d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 11 Jul 2020 14:34:57 +0200
Subject: [PATCH] Reset HTML parser input before reporting error

Avoid use-after-free, similar to 13ba5b61. Also make sure that
xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.

Found by OSS-Fuzz.

diff --git a/HTMLparser.c b/HTMLparser.c
index 9b12dd1..1dea794 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
 	int res;
 
 	res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
 	if (res < 0) {
 	    ctxt->errNo = XML_PARSER_EOF;
 	    ctxt->disableSAX = 1;
 	    return (XML_PARSER_EOF);
 	}
-        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
 #ifdef DEBUG_PUSH
 	xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size);
 #endif
diff --git a/buf.c b/buf.c
index 8ad18a1..24368d3 100644
--- a/buf.c
+++ b/buf.c
@@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) {
 int
 xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
                       size_t base, size_t cur) {
-    if ((input == NULL) || (buf == NULL) || (buf->error))
+    if (input == NULL)
+        return(-1);
+    if ((buf == NULL) || (buf->error)) {
+        input->base = input->cur = input->end = BAD_CAST "";
         return(-1);
+    }
     CHECK_COMPAT(buf)
     input->base = &buf->content[base];
     input->cur = input->base + cur;
-- 
1.8.3.1