diff options
| author | Daniel Veillard <veillard@redhat.com> | 2015-11-20 15:04:09 +0800 |
|---|---|---|
| committer | Daniel Veillard <veillard@redhat.com> | 2015-11-20 15:04:09 +0800 |
| commit | 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da (patch) | |
| tree | 2b2cab2edfa88b6a2db8e2ba44aed391769b9d57 /parser.c | |
| parent | ce0b0d0d81fdbb5f722a890432b52d363e4de57b (diff) | |
| download | android_external_libxml2-35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da.tar.gz android_external_libxml2-35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da.tar.bz2 android_external_libxml2-35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da.zip | |
Detect incoherency on GROW
the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
Diffstat (limited to 'parser.c')
| -rw-r--r-- | parser.c | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && ((ctxt->options & XML_PARSE_HUGE) == 0)) { xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); + return; } xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + if ((ctxt->input->cur > ctxt->input->end) || + (ctxt->input->cur < ctxt->input->base)) { + xmlHaltParser(ctxt); + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); + return; + } if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) xmlPopInput(ctxt); |