50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
From 3f18e7486d5feb8ae41911ce3c122e05641a4c3d Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Sat, 11 Jul 2020 14:34:57 +0200
|
|
Subject: [PATCH] Reset HTML parser input before reporting error
|
|
|
|
Avoid use-after-free, similar to 13ba5b61. Also make sure that
|
|
xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
diff --git a/HTMLparser.c b/HTMLparser.c
|
|
index 9b12dd1..1dea794 100644
|
|
--- a/HTMLparser.c
|
|
+++ b/HTMLparser.c
|
|
@@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
|
|
int res;
|
|
|
|
res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
|
|
+ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
|
|
if (res < 0) {
|
|
ctxt->errNo = XML_PARSER_EOF;
|
|
ctxt->disableSAX = 1;
|
|
return (XML_PARSER_EOF);
|
|
}
|
|
- xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
|
|
#ifdef DEBUG_PUSH
|
|
xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size);
|
|
#endif
|
|
diff --git a/buf.c b/buf.c
|
|
index 8ad18a1..24368d3 100644
|
|
--- a/buf.c
|
|
+++ b/buf.c
|
|
@@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) {
|
|
int
|
|
xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
|
|
size_t base, size_t cur) {
|
|
- if ((input == NULL) || (buf == NULL) || (buf->error))
|
|
+ if (input == NULL)
|
|
+ return(-1);
|
|
+ if ((buf == NULL) || (buf->error)) {
|
|
+ input->base = input->cur = input->end = BAD_CAST "";
|
|
return(-1);
|
|
+ }
|
|
CHECK_COMPAT(buf)
|
|
input->base = &buf->content[base];
|
|
input->cur = input->base + cur;
|
|
--
|
|
1.8.3.1
|
|
|