aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian C. Young <bcyoung@google.com>2017-04-03 12:21:57 -0700
committerMSe <mse1969@posteo.de>2017-06-09 15:16:15 +0200
commit53bb3c60e00f99b8788586354b4c7774c6b3ad72 (patch)
tree3aa58269642ab2fc75737901bf8952d637990e30
parentf596072ccf53f07ad59d8c6b9227bda7a0459b98 (diff)
downloadandroid_external_libxml2-backup/20190820-0039/cm-13.0.tar.gz
android_external_libxml2-backup/20190820-0039/cm-13.0.tar.bz2
android_external_libxml2-backup/20190820-0039/cm-13.0.zip
DO NOT MERGE: Apply upstream Chromium patch for encoding changesreplicant-6.0-0004-rc1replicant-6.0-0003replicant-6.0-0002backup/20190820-0039/cm-13.0
Give up looking up interned names if the encoding changed during parsing NEXTL may process encoding changes by refilling the parser's input buffer, which makes the accumulated length 'len' inaccurate. Chromium bug: http://crbug.com/620679 Review-Url: https://codereview.chromium.org/2603933002 Cr-Commit-Position: refs/heads/master@{#442517} Bug: 36553781 AOSP-Change-Id: Id3484fbee201d1e19b684b109009d6590354b1d9 (cherry picked from commit 008262d3e46b3d5aae2d2f981e26ca69c8bd2b51) CVE-2016-1839 Change-Id: I1a92bad21e677164a3b117cb789c502134d0c7e5
-rw-r--r--parser.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/parser.c b/parser.c
index 3d9c8f4f..ae9d5a5b 100644
--- a/parser.c
+++ b/parser.c
@@ -3398,8 +3398,15 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL);
}
- if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+ if (ctxt->input->cur > ctxt->input->base && (*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) {
+ if (ctxt->input->base > ctxt->input->cur - (len + 1)) {
+ return(NULL);
+ }
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+ }
+ if (ctxt->input->base > ctxt->input->cur - len) {
+ return(NULL);
+ }
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
}