|
 |
6dedca |
From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001
|
|
|
6dedca |
From: Daniel Veillard <veillard@redhat.com>
|
|
|
6dedca |
Date: Fri, 20 Nov 2015 15:04:09 +0800
|
|
|
6dedca |
Subject: [PATCH] Detect incoherency on GROW
|
|
|
6dedca |
To: libvir-list@redhat.com
|
|
|
6dedca |
|
|
|
6dedca |
the current pointer to the input has to be between the base and end
|
|
|
6dedca |
if not stop everything we have an internal state error.
|
|
|
6dedca |
|
|
|
6dedca |
Signed-off-by: Daniel Veillard <veillard@redhat.com>
|
|
|
6dedca |
---
|
|
|
6dedca |
parser.c | 9 ++++++++-
|
|
|
6dedca |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
6dedca |
|
|
|
6dedca |
diff --git a/parser.c b/parser.c
|
|
|
6dedca |
index 9aed98d..7602498 100644
|
|
|
6dedca |
--- a/parser.c
|
|
|
6dedca |
+++ b/parser.c
|
|
|
6dedca |
@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
|
|
|
6dedca |
((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
|
|
|
6dedca |
((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
6dedca |
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
|
|
|
6dedca |
- ctxt->instate = XML_PARSER_EOF;
|
|
|
6dedca |
+ xmlHaltParser(ctxt);
|
|
|
6dedca |
+ return;
|
|
|
6dedca |
}
|
|
|
6dedca |
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
|
|
|
6dedca |
+ if ((ctxt->input->cur > ctxt->input->end) ||
|
|
|
6dedca |
+ (ctxt->input->cur < ctxt->input->base)) {
|
|
|
6dedca |
+ xmlHaltParser(ctxt);
|
|
|
6dedca |
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
|
|
|
6dedca |
+ return;
|
|
|
6dedca |
+ }
|
|
|
6dedca |
if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
|
|
|
6dedca |
(xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
|
|
|
6dedca |
xmlPopInput(ctxt);
|
|
|
6dedca |
--
|
|
|
6dedca |
2.5.0
|
|
|
6dedca |
|