From 7d23a33fbf8fe09fe52f9abafeafb9f438229603 Mon Sep 17 00:00:00 2001 From: David Kilzer Date: Tue, 26 Jan 2016 16:57:03 -0800 Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName To: libvir-list@redhat.com For https://bugzilla.gnome.org/show_bug.cgi?id=759573 * parser.c: (xmlParseElementDecl): Return early on invalid input to fix non-minimized test case (759573-2.xml). Otherwise the parser gets into a bad state in SKIP(3) at the end of the function. (xmlParseConditionalSections): Halt parsing when hitting invalid input that would otherwise caused xmlParserHandlePEReference() to recurse unexpectedly. This fixes the minimized test case (759573.xml). * result/errors/759573-2.xml: Add. * result/errors/759573-2.xml.err: Add. * result/errors/759573-2.xml.str: Add. * result/errors/759573.xml: Add. * result/errors/759573.xml.err: Add. * result/errors/759573.xml.str: Add. * test/errors/759573-2.xml: Add. * test/errors/759573.xml: Add. Had to fixup by removing test 759573-2 Signed-off-by: Daniel Veillard --- parser.c | 2 ++ result/errors/759573.xml | 0 result/errors/759573.xml.err | 31 +++++++++++++++++++++++++++++++ result/errors/759573.xml.str | 4 ++++ test/errors/759573.xml | 1 + 5 files changed, 38 insertions(+) create mode 100644 result/errors/759573.xml create mode 100644 result/errors/759573.xml.err create mode 100644 result/errors/759573.xml.str create mode 100644 test/errors/759573.xml diff --git a/parser.c b/parser.c index 133df95..0accf54 100644 --- a/parser.c +++ b/parser.c @@ -6683,6 +6683,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) { if (!IS_BLANK_CH(CUR)) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Space required after 'ELEMENT'\n"); + return(-1); } SKIP_BLANKS; name = xmlParseName(ctxt); @@ -6834,6 +6835,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); + xmlHaltParser(ctxt); break; } } diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err new file mode 100644 index 0000000..2c21e9a --- /dev/null +++ b/result/errors/759573.xml.err @@ -0,0 +1,31 @@ +./test/errors/759573.xml:1: parser error : Space required after '%xx; + ^ +./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated +T t (A)>%xx; + ^ +./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found +T t (A)>%xx; + ^ diff --git a/result/errors/759573.xml.str b/result/errors/759573.xml.str new file mode 100644 index 0000000..1b6addb --- /dev/null +++ b/result/errors/759573.xml.str @@ -0,0 +1,4 @@ +./test/errors/759573.xml:1: parser error : Extra content at the end of the document +%xx; \ No newline at end of file -- 2.5.5