diff options
author | Daniel Veillard <veillard@redhat.com> | 2015-11-20 15:04:09 +0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2015-11-20 15:04:09 +0800 |
commit | 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da (patch) | |
tree | 2b2cab2edfa88b6a2db8e2ba44aed391769b9d57 | |
parent | ce0b0d0d81fdbb5f722a890432b52d363e4de57b (diff) | |
download | android_external_libxml2-35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da.tar.gz android_external_libxml2-35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da.tar.bz2 android_external_libxml2-35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da.zip |
Detect incoherency on GROW
the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
-rw-r--r-- | parser.c | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && ((ctxt->options & XML_PARSE_HUGE) == 0)) { xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); + return; } xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + if ((ctxt->input->cur > ctxt->input->end) || + (ctxt->input->cur < ctxt->input->base)) { + xmlHaltParser(ctxt); + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); + return; + } if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) xmlPopInput(ctxt); |