xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-2.9.7-CVE-2020-7595.patch

ea037a
From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
ea037a
From: Zhipeng Xie <xiezhipeng1@huawei.com>
ea037a
Date: Thu, 12 Dec 2019 17:30:55 +0800
ea037a
Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
ea037a
ea037a
When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
ea037a
return NULL which cause a infinite loop in xmlStringLenDecodeEntities
ea037a
ea037a
Found with libFuzzer.
ea037a
ea037a
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
ea037a
---
ea037a
 parser.c | 3 ++-
ea037a
 1 file changed, 2 insertions(+), 1 deletion(-)
ea037a
ea037a
diff --git a/parser.c b/parser.c
ea037a
index d1c31963..a34bb6cd 100644
ea037a
--- a/parser.c
ea037a
+++ b/parser.c
ea037a
@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
ea037a
     else
ea037a
         c = 0;
ea037a
     while ((c != 0) && (c != end) && /* non input consuming loop */
ea037a
-	   (c != end2) && (c != end3)) {
ea037a
+           (c != end2) && (c != end3) &&
ea037a
+           (ctxt->instate != XML_PARSER_EOF)) {
ea037a
 
ea037a
 	if (c == 0) break;
ea037a
         if ((c == '&') && (str[1] == '#')) {
ea037a
-- 
ea037a
2.24.1
ea037a