diff options
| author | Daniel Veillard <veillard@redhat.com> | 2012-08-17 20:34:05 +0800 |
|---|---|---|
| committer | Daniel Veillard <veillard@redhat.com> | 2012-08-17 22:59:10 +0800 |
| commit | 40851d0c5975a8fde9498f72f3f5d96ad3194dc5 (patch) | |
| tree | e74e70b7336f438dffb755e6ecdd760841700fce /xmlregexp.c | |
| parent | b60061a7a59d1305824896172b705c31316bc761 (diff) | |
| download | android_external_libxml2-40851d0c5975a8fde9498f72f3f5d96ad3194dc5.tar.gz android_external_libxml2-40851d0c5975a8fde9498f72f3f5d96ad3194dc5.tar.bz2 android_external_libxml2-40851d0c5975a8fde9498f72f3f5d96ad3194dc5.zip | |
Fix a segfault on XSD validation on pattern error
As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):
<xs:pattern value="(.*)|"/>
Fix a cascade of error handling failures which led to the
crash in that scenario.
Diffstat (limited to 'xmlregexp.c')
| -rw-r--r-- | xmlregexp.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/xmlregexp.c b/xmlregexp.c index 8a8be983..b9527085 100644 --- a/xmlregexp.c +++ b/xmlregexp.c @@ -3202,7 +3202,7 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) { memset(exec->counts, 0, comp->nbCounters * sizeof(int)); } else exec->counts = NULL; - while ((exec->status == 0) && + while ((exec->status == 0) && (exec->state != NULL) && ((exec->inputString[exec->index] != 0) || ((exec->state != NULL) && (exec->state->type != XML_REGEXP_FINAL_STATE)))) { @@ -3456,6 +3456,8 @@ error: } xmlFree(exec->rollbacks); } + if (exec->state == NULL) + return(-1); if (exec->counts != NULL) xmlFree(exec->counts); if (exec->status == 0) @@ -5373,6 +5375,10 @@ xmlFAParseRegExp(xmlRegParserCtxtPtr ctxt, int top) { end = ctxt->state; while ((CUR == '|') && (ctxt->error == 0)) { NEXT; + if (CUR == 0) { + ERROR("expecting a branch after |") + return; + } ctxt->state = start; ctxt->end = NULL; xmlFAParseBranch(ctxt, end); |