37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From 13ba5b619a153f240320eb92b59158d657bdeb3a Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Sun, 28 Jun 2020 13:16:46 +0200
|
|
Subject: [PATCH] Reset HTML parser input before reporting encoding error
|
|
|
|
If charset conversion fails, reset the input pointers before reporting
|
|
the error and bailing out. Otherwise, the input pointers are left in an
|
|
invalid state which could lead to use-after-free and other memory
|
|
errors.
|
|
|
|
Similar to f9e7997e. Found by OSS-Fuzz.
|
|
---
|
|
HTMLparser.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/HTMLparser.c b/HTMLparser.c
|
|
index 9ade6635..7fba9429 100644
|
|
--- a/HTMLparser.c
|
|
+++ b/HTMLparser.c
|
|
@@ -6160,12 +6160,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
|
|
size_t current = ctxt->input->cur - ctxt->input->base;
|
|
|
|
nbchars = xmlCharEncInput(in, terminate);
|
|
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
|
|
if (nbchars < 0) {
|
|
htmlParseErr(ctxt, XML_ERR_INVALID_ENCODING,
|
|
"encoder error\n", NULL, NULL);
|
|
return(XML_ERR_INVALID_ENCODING);
|
|
}
|
|
- xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
|
|
}
|
|
}
|
|
}
|
|
--
|
|
2.27.0
|
|
|