diff options
| author | Daniel Veillard <veillard@redhat.com> | 2015-09-15 16:50:32 +0800 |
|---|---|---|
| committer | Daniel Veillard <veillard@redhat.com> | 2015-09-15 16:50:32 +0800 |
| commit | 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 (patch) | |
| tree | f10b3ff508b1b39c15b1a9937ae33dd7bbcbf5d2 | |
| parent | ef709ce2f7b792d5fb69ed142796d743fb1eb388 (diff) | |
| download | android_external_libxml2-51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783.tar.gz android_external_libxml2-51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783.tar.bz2 android_external_libxml2-51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783.zip | |
Fix a bug on name parsing at the end of current input buffer
For https://bugzilla.gnome.org/show_bug.cgi?id=754946
When hitting the end of the current input buffer while parsing
a name we could end up loosing the beginning of the name, which
led to various issues.
| -rw-r--r-- | parser.c | 29 | ||||
| -rw-r--r-- | result/errors/754946.xml | 0 | ||||
| -rw-r--r-- | result/errors/754946.xml.err | 16 | ||||
| -rw-r--r-- | result/errors/754946.xml.str | 4 | ||||
| -rw-r--r-- | test/errors/754946.xml | 1 |
5 files changed, 41 insertions, 9 deletions
@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { c = CUR_CHAR(l); if (c == 0) { count = 0; + /* + * when shrinking to extend the buffer we really need to preserve + * the part of the name we already parsed. Hence rolling back + * by current lenght. + */ + ctxt->input->cur -= l; GROW; + ctxt->input->cur += l; if (ctxt->instate == XML_PARSER_EOF) return(NULL); end = ctxt->input->cur; @@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { static const xmlChar * xmlParseNCName(xmlParserCtxtPtr ctxt) { - const xmlChar *in; + const xmlChar *in, *e; const xmlChar *ret; int count = 0; @@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { * Accelerator for simple ASCII names */ in = ctxt->input->cur; - if (((*in >= 0x61) && (*in <= 0x7A)) || - ((*in >= 0x41) && (*in <= 0x5A)) || - (*in == '_')) { + e = ctxt->input->end; + if ((((*in >= 0x61) && (*in <= 0x7A)) || + ((*in >= 0x41) && (*in <= 0x5A)) || + (*in == '_')) && (in < e)) { in++; - while (((*in >= 0x61) && (*in <= 0x7A)) || - ((*in >= 0x41) && (*in <= 0x5A)) || - ((*in >= 0x30) && (*in <= 0x39)) || - (*in == '_') || (*in == '-') || - (*in == '.')) + while ((((*in >= 0x61) && (*in <= 0x7A)) || + ((*in >= 0x41) && (*in <= 0x5A)) || + ((*in >= 0x30) && (*in <= 0x39)) || + (*in == '_') || (*in == '-') || + (*in == '.')) && (in < e)) in++; + if (in >= e) + goto complex; if ((*in > 0) && (*in < 0x80)) { count = in - ctxt->input->cur; if ((count > XML_MAX_NAME_LENGTH) && @@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { return(ret); } } +complex: return(xmlParseNCNameComplex(ctxt)); } diff --git a/result/errors/754946.xml b/result/errors/754946.xml new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/result/errors/754946.xml diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err new file mode 100644 index 00000000..423dff56 --- /dev/null +++ b/result/errors/754946.xml.err @@ -0,0 +1,16 @@ +Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration + + %SYSTEM; + ^ +Entity: line 1: +A<lbbbbbbbbbbbbbbbbbbb_ +^ +Entity: line 1: parser error : DOCTYPE improperly terminated + %SYSTEM; + ^ +Entity: line 1: +A<lbbbbbbbbbbbbbbbbbbb_ +^ +./test/errors/754946.xml:1: parser error : Extra content at the end of the document +<!DOCTYPEA[<!ENTITY % + ^ diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str new file mode 100644 index 00000000..3b748cc7 --- /dev/null +++ b/result/errors/754946.xml.str @@ -0,0 +1,4 @@ +./test/errors/754946.xml:1: parser error : Extra content at the end of the document +<!DOCTYPEA[<!ENTITY % + ^ +./test/errors/754946.xml : failed to parse diff --git a/test/errors/754946.xml b/test/errors/754946.xml new file mode 100644 index 00000000..6b5f9b06 --- /dev/null +++ b/test/errors/754946.xml @@ -0,0 +1 @@ +<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![
\ No newline at end of file |