From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Fri, 20 Nov 2015 15:04:09 +0800

Subject: [PATCH] Detect incoherency on GROW

To: libvir-list@redhat.com

the current pointer to the input has to be between the base and end

if not stop everything we have an internal state error.

Signed-off-by: Daniel Veillard <veillard@redhat.com>

---

 parser.c | 9 ++++++++-

 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c

index 9aed98d..7602498 100644

--- a/parser.c

+++ b/parser.c

@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {

          ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&

         ((ctxt->options & XML_PARSE_HUGE) == 0)) {

         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");

-        ctxt->instate = XML_PARSER_EOF;

+        xmlHaltParser(ctxt);

+	return;

     }

     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);

+    if ((ctxt->input->cur > ctxt->input->end) ||

+        (ctxt->input->cur < ctxt->input->base)) {

+        xmlHaltParser(ctxt);

+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");

+	return;

+    }

     if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&

         (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))

 	    xmlPopInput(ctxt);

-- 

2.5.0