From 466ef17b8cf8d68393f3a56cda8e7a5504aacf98 Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Fri, 30 Oct 2015 21:14:55 +0800

Subject: [PATCH] Fix parsing short unclosed comment uninitialized access

To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=746048

The HTML parser was too optimistic when processing comments and

didn't check for the end of the stream on the first 2 characters

Signed-off-by: Daniel Veillard <veillard@redhat.com>

---

 HTMLparser.c | 21 ++++++++++++++-------

 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c

index dd0c1ea..cab499a 100644

--- a/HTMLparser.c

+++ b/HTMLparser.c

@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {

 	ctxt->instate = state;

 	return;

     }

+    len = 0;

+    buf[len] = 0;

     q = CUR_CHAR(ql);

+    if (!IS_CHAR(q))

+        goto unfinished;

     NEXTL(ql);

     r = CUR_CHAR(rl);

+    if (!IS_CHAR(r))

+        goto unfinished;

     NEXTL(rl);

     cur = CUR_CHAR(l);

-    len = 0;

     while (IS_CHAR(cur) &&

            ((cur != '>') ||

 	    (r != '-') || (q != '-'))) {

@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {

 	}

     }

     buf[len] = 0;

-    if (!IS_CHAR(cur)) {

-	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,

-	             "Comment not terminated \n

-	xmlFree(buf);

-    } else {

+    if (IS_CHAR(cur)) {

         NEXT;

 	if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&

 	    (!ctxt->disableSAX))

 	    ctxt->sax->comment(ctxt->userData, buf);

 	xmlFree(buf);

+	ctxt->instate = state;

+	return;

     }

-    ctxt->instate = state;

+

+unfinished:

+    htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,

+		 "Comment not terminated \n

+    xmlFree(buf);

 }

 /**

-- 

2.5.0