Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588>

* parser.c: (xmlParseEndTag2): Add bounds checks before dereferencing ctxt->input->cur past the end of the buffer, or incrementing the pointer past the end of the buffer. * result/errors/758588.xml: Add test result. * result/errors/758588.xml.err: Ditto. * result/errors/758588.xml.str: Ditto. * test/errors/758588.xml: Add regression test.
2025-03-28 21:33:13 +00:00 · 2016-02-12 09:58:29 -08:00 · 2016-02-12 09:58:29 -08:00 · db07dd613e
commit db07dd613e
parent cbb271655c
5 changed files with 26 additions and 2 deletions
--- a/parser.c
+++ b/parser.c
@ -9825,6 +9825,7 @@ static void
 xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
                const xmlChar *URI, int line, int nsNr, int tlen) {
    const xmlChar *name;
+    size_t curLength;

    GROW;
    if ((RAW != '<') || (NXT(1) != '/')) {
@ -9833,8 +9834,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
    }
    SKIP(2);

-    if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
-        if (ctxt->input->cur[tlen] == '>') {
+    curLength = ctxt->input->end - ctxt->input->cur;
+    if ((tlen > 0) && (curLength >= (size_t)tlen) &&
+        (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
+        if ((curLength >= (size_t)(tlen + 1)) &&
+	    (ctxt->input->cur[tlen] == '>')) {
 	    ctxt->input->cur += tlen + 1;
 	    ctxt->input->col += tlen + 1;
 	    goto done;
--- a/result/errors/758588.xml
+++ b/result/errors/758588.xml
--- a/result/errors/758588.xml.err
+++ b/result/errors/758588.xml.err
--- a/result/errors/758588.xml.str
+++ b/result/errors/758588.xml.str
--- a/test/errors/758588.xml
+++ b/test/errors/758588.xml