From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001

From: Hugh Davenport <hugh@allthethings.co.nz>

Date: Fri, 20 Nov 2015 17:16:06 +0800

Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode

To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756372

Error in the code pointing to the codepoint in the stack for the

current char value instead of the pointer in the input that the SAX

callback expects

Reported and fixed by Hugh Davenport

Signed-off-by: Daniel Veillard <veillard@redhat.com>

---

 HTMLparser.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c

index cab499a..4331d53 100644

--- a/HTMLparser.c

+++ b/HTMLparser.c

@@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {

 				if (ctxt->keepBlanks) {

 				    if (ctxt->sax->characters != NULL)

 					ctxt->sax->characters(

-						ctxt->userData, &cur, 1);

+						ctxt->userData, &in->cur[0], 1);

 				} else {

 				    if (ctxt->sax->ignorableWhitespace != NULL)

 					ctxt->sax->ignorableWhitespace(

-						ctxt->userData, &cur, 1);

+						ctxt->userData, &in->cur[0], 1);

 				}

 			    } else {

 				htmlCheckParagraph(ctxt);

 				if (ctxt->sax->characters != NULL)

 				    ctxt->sax->characters(

-					    ctxt->userData, &cur, 1);

+					    ctxt->userData, &in->cur[0], 1);

 			    }

 			}

 			ctxt->token = 0;

-- 

2.5.0