You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
100 lines
34 KiB
100 lines
34 KiB
7 years ago
|
From 23ee7ce40943d063f1a15d672ae893e9bf1b0924 Mon Sep 17 00:00:00 2001
|
||
|
|
From: David Kilzer <ddkilzer@apple.com>
|
||
|
|
Date: Fri, 12 Feb 2016 09:58:29 -0800
|
||
|
|
Subject: [PATCH] Bug 758588: Heap-based buffer overread in
|
||
|
|
xmlParserPrintFileContextInternal
|
||
|
|
<https://bugzilla.gnome.org/show_bug.cgi?id=758588>
|
||
|
|
To: libvir-list@redhat.com
|
||
|
|
|
||
|
|
* parser.c:
|
||
|
|
(xmlParseEndTag2): Add bounds checks before dereferencing
|
||
|
|
ctxt->input->cur past the end of the buffer, or incrementing the
|
||
|
|
pointer past the end of the buffer.
|
||
|
|
|
||
|
|
* result/errors/758588.xml: Add test result.
|
||
|
|
* result/errors/758588.xml.err: Ditto.
|
||
|
|
* result/errors/758588.xml.str: Ditto.
|
||
|
|
* test/errors/758588.xml: Add regression test.
|
||
|
|
|
||
|
|
Signed-off-by: Daniel Veillard <veillard@redhat.com>
|
||
|
|
---
|
||
|
|
parser.c | 8 ++++++--
|
||
|
|
result/errors/758588.xml | 0
|
||
|
|
result/errors/758588.xml.err | 9 +++++++++
|
||
|
|
result/errors/758588.xml.str | 10 ++++++++++
|
||
|
|
test/errors/758588.xml | 1 +
|
||
|
|
5 files changed, 26 insertions(+), 2 deletions(-)
|
||
|
|
create mode 100644 result/errors/758588.xml
|
||
|
|
create mode 100644 result/errors/758588.xml.err
|
||
|
|
create mode 100644 result/errors/758588.xml.str
|
||
|
|
create mode 100644 test/errors/758588.xml
|
||
|
|
|
||
|
|
diff --git a/parser.c b/parser.c
|
||
|
|
index b1215ca..03bc4f8 100644
|
||
|
|
--- a/parser.c
|
||
|
|
+++ b/parser.c
|
||
|
|
@@ -9758,6 +9758,7 @@ static void
|
||
|
|
xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
|
||
|
|
const xmlChar *URI, int line, int nsNr, int tlen) {
|
||
|
|
const xmlChar *name;
|
||
|
|
+ size_t curLength;
|
||
|
|
|
||
|
|
GROW;
|
||
|
|
if ((RAW != '<') || (NXT(1) != '/')) {
|
||
|
|
@@ -9766,8 +9767,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
|
||
|
|
}
|
||
|
|
SKIP(2);
|
||
|
|
|
||
|
|
- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
|
||
|
|
- if (ctxt->input->cur[tlen] == '>') {
|
||
|
|
+ curLength = ctxt->input->end - ctxt->input->cur;
|
||
|
|
+ if ((tlen > 0) && (curLength >= (size_t)tlen) &&
|
||
|
|
+ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
|
||
|
|
+ if ((curLength >= (size_t)(tlen + 1)) &&
|
||
|
|
+ (ctxt->input->cur[tlen] == '>')) {
|
||
|
|
ctxt->input->cur += tlen + 1;
|
||
|
|
goto done;
|
||
|
|
}
|
||
|
|
diff --git a/result/errors/758588.xml.err b/result/errors/758588.xml.err
|
||
|
|
new file mode 100644
|
||
|
|
index 0000000..dfa59bc
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/result/errors/758588.xml.err
|
||
|
|
@@ -0,0 +1,9 @@
|
||
|
|
+./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686
|
||
|
|
+63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
|
||
|
|
+ ^
|
||
|
|
+./test/errors/758588.xml:1: parser error : expected '>'
|
||
|
|
+2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
|
||
|
|
+ ^
|
||
|
|
+./test/errors/758588.xml:1: parser error : Opening and ending tag mismatch: a line 1 and a
|
||
|
|
+2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
|
||
|
|
+ ^
|
||
|
|
diff --git a/result/errors/758588.xml.str b/result/errors/758588.xml.str
|
||
|
|
new file mode 100644
|
||
|
|
index 0000000..303ee0c
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/result/errors/758588.xml.str
|
||
|
|
@@ -0,0 +1,10 @@
|
||
|
|
+./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686
|
||
|
|
+63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
|
||
|
|
+ ^
|
||
|
|
+./test/errors/758588.xml:1: parser error : expected '>'
|
||
|
|
+2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
|
||
|
|
+ ^
|
||
|
|
+./test/errors/758588.xml:1: parser error : Opening and ending tag mismatch: a line 1 and a
|
||
|
|
+2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
|
||
|
|
+ ^
|
||
|
|
+./test/errors/758588.xml : failed to parse
|
||
|
|
diff --git a/test/errors/758588.xml b/test/errors/758588.xml
|
||
|
|
new file mode 100644
|
||
|
|
index 0000000..bec7e93
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/test/errors/758588.xml
|
||
|
|
@@ -0,0 +1 @@
|
||
|
|
+<a-34028236692093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672
|
||
|
|
\ No newline at end of file
|
||
|
|
--
|
||
|
|
2.5.5
|
||
|
|
|