From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001 From: Hugh Davenport Date: Fri, 20 Nov 2015 17:16:06 +0800 Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode To: libvir-list@redhat.com For https://bugzilla.gnome.org/show_bug.cgi?id=756372 Error in the code pointing to the codepoint in the stack for the current char value instead of the pointer in the input that the SAX callback expects Reported and fixed by Hugh Davenport Signed-off-by: Daniel Veillard --- HTMLparser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/HTMLparser.c b/HTMLparser.c index cab499a..4331d53 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { if (ctxt->keepBlanks) { if (ctxt->sax->characters != NULL) ctxt->sax->characters( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } else { if (ctxt->sax->ignorableWhitespace != NULL) ctxt->sax->ignorableWhitespace( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } } else { htmlCheckParagraph(ctxt); if (ctxt->sax->characters != NULL) ctxt->sax->characters( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } } ctxt->token = 0; -- 2.5.0