c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Heap-based buffer-underreads due to xmlParseName

Browse Source 
For https://bugzilla.gnome.org/show_bug.cgi?id=759573

* parser.c:
(xmlParseElementDecl): Return early on invalid input to fix
non-minimized test case (759573-2.xml).  Otherwise the parser
gets into a bad state in SKIP(3) at the end of the function.
(xmlParseConditionalSections): Halt parsing when hitting invalid
input that would otherwise caused xmlParserHandlePEReference()
to recurse unexpectedly.  This fixes the minimized test case
(759573.xml).

* result/errors/759573-2.xml: Add.
* result/errors/759573-2.xml.err: Add.
* result/errors/759573-2.xml.str: Add.
* result/errors/759573.xml: Add.
* result/errors/759573.xml.err: Add.
* result/errors/759573.xml.str: Add.
* test/errors/759573-2.xml: Add.
* test/errors/759573.xml: Add.
This commit is contained in:
David Kilzer 2016-01-26 16:57:03 -08:00 committed by Daniel Veillard
parent 38eae57111
commit 0090675905
9 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
parser.c
View File

@ -6708,6 +6708,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) {
if (!IS_BLANK_CH(CUR)) {
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
"Space required after 'ELEMENT'\n");
return(-1);
}
SKIP_BLANKS;
name = xmlParseName(ctxt);
@ -6859,6 +6860,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
xmlHaltParser(ctxt);
break;
}
}

0
result/errors/759573-2.xml Normal file
View File

58
result/errors/759573-2.xml.err Normal file
View File

@ -0,0 +1,58 @@
Entity: line 1: parser error : Space required after '<!ENTITY'
%zz;
^
Entity: line 1:
<!ENTITY<?xDOCTYPEm~?>
^
Entity: line 1: parser error : xmlParseEntityDecl: no name
%zz;
^
Entity: line 1:
<!ENTITY<?xDOCTYPEm~?>
^
Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
%zz;
^
Entity: line 1:
<!ENTITY<?xDOCTYPEm~?>
^
Entity: line 1: parser error : Space required after '<!ENTITY'
%zz;
^
Entity: line 1:
<!ENTITY<?xDOCTYPEm~?>
^
Entity: line 1: parser error : xmlParseEntityDecl: no name
%zz;
^
Entity: line 1:
<!ENTITY<?xDOCTYPEm~?>
^
Entity: line 1: parser error : ParsePI: PI xDOCTYPEm space expected
%zz;
^
Entity: line 1:
<!ENTITY<?xDOCTYPEm~?>
^
Entity: line 1: parser error : Space required after 'ELEMENT'
%xx;
^
Entity: line 3:
%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
^
Entity: line 1: parser error : Content error in the external subset
%xx;
^
Entity: line 3:
%zz;<!ELEMENTD(%MENT%MENTDŹMENTD%zNMT9KENSMYSYSTEM;MENT9%zz;
^
./test/errors/759573-2.xml:6: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
%xx;ÿggKENSMYNT&#35;MENTD&#372zz;'>
^
./test/errors/759573-2.xml:6: parser error : DOCTYPE improperly terminated
%xx;ÿggKENSMYNT&#35;MENTD&#372zz;'>
^
./test/errors/759573-2.xml:6: parser error : Start tag expected, '<' not found
%xx;ÿggKENSMYNT&#35;MENTD&#372zz;'>
^

4
result/errors/759573-2.xml.str Normal file
View File

@ -0,0 +1,4 @@
./test/errors/759573-2.xml:2: parser error : Extra content at the end of the document
<!DOCTYPE test [
^
./test/errors/759573-2.xml : failed to parse

0
result/errors/759573.xml Normal file
View File

31
result/errors/759573.xml.err Normal file
View File

@ -0,0 +1,31 @@
./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY'
ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITY
^
./test/errors/759573.xml:1: parser error : Space required after the entity name
LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
^
./test/errors/759573.xml:1: parser error : Entity value required
LEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz
^
Entity: line 1: parser error : PEReference: no name
%xx;
^
Entity: line 1:
%<![INCLUDE[000%ஸ000%z;
^
Entity: line 1: parser error : Content error in the external subset
%xx;
^
Entity: line 1:
%<![INCLUDE[000%ஸ000%z;
^
./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
^
./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
^
./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
T t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;
^

4
result/errors/759573.xml.str Normal file
View File

@ -0,0 +1,4 @@
./test/errors/759573.xml:1: parser error : Extra content at the end of the document
<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;00
^
./test/errors/759573.xml : failed to parse

9
test/errors/759573-2.xml Normal file
View File

@ -0,0 +1,9 @@
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz; <![INCLUDE[ &#37;zz;<!ELEMENTD(&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;ÿggKENSMYNT&#35;MENTD&#372zz;'>
<!ENBITY % zz '&#60;!EN#3&##37;z ';!EY'#x;g
<!ENTent ref="bè:b>r.B"/>
e </

1
test/errors/759573.xml Normal file
View File

@ -0,0 +1 @@
<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '&#37;<![INCLUDE[000&#37;&#3000;000&#37;z;'><!ENTITYz>%xx;