DO NOT MERGE: Apply upstream Chromium patch for encoding changesreplicant-6.0-0004-rc1replicant-6.0-0003replicant-6.0-0002backup/20190820-0039/cm-13.0

Give up looking up interned names if the encoding changed during parsing

NEXTL may process encoding changes by refilling the parser's input
buffer, which makes the accumulated length 'len' inaccurate.

Chromium bug: http://crbug.com/620679

Review-Url: https://codereview.chromium.org/2603933002
Cr-Commit-Position: refs/heads/master@{#442517}

Bug: 36553781
AOSP-Change-Id: Id3484fbee201d1e19b684b109009d6590354b1d9
(cherry picked from commit 008262d3e46b3d5aae2d2f981e26ca69c8bd2b51)

CVE-2016-1839

Change-Id: I1a92bad21e677164a3b117cb789c502134d0c7e5

1 files changed, 8 insertions, 1 deletions

diff --git a/parser.c b/parser.c
index 3d9c8f4f..ae9d5a5b 100644
--- a/parser.c
+++ b/parser.c
@@ -3398,8 +3398,15 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
         return(NULL);
     }
-    if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+    if (ctxt->input->cur > ctxt->input->base && (*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) {
+        if (ctxt->input->base > ctxt->input->cur - (len + 1)) {
+            return(NULL);
+        }
         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+    }
+    if (ctxt->input->base > ctxt->input->cur - len) {
+        return(NULL);
+    }
     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
 }