From 53bb3c60e00f99b8788586354b4c7774c6b3ad72 Mon Sep 17 00:00:00 2001
From: "Brian C. Young" <bcyoung@google.com>
Date: Mon, 3 Apr 2017 12:21:57 -0700
Subject: DO NOT MERGE: Apply upstream Chromium patch for encoding changes

Give up looking up interned names if the encoding changed during parsing

NEXTL may process encoding changes by refilling the parser's input
buffer, which makes the accumulated length 'len' inaccurate.

Chromium bug: http://crbug.com/620679

Review-Url: https://codereview.chromium.org/2603933002
Cr-Commit-Position: refs/heads/master@{#442517}

Bug: 36553781
AOSP-Change-Id: Id3484fbee201d1e19b684b109009d6590354b1d9
(cherry picked from commit 008262d3e46b3d5aae2d2f981e26ca69c8bd2b51)

CVE-2016-1839

Change-Id: I1a92bad21e677164a3b117cb789c502134d0c7e5
---
 parser.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 3d9c8f4f..ae9d5a5b 100644
--- a/parser.c
+++ b/parser.c
@@ -3398,8 +3398,15 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
         return(NULL);
     }
-    if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+    if (ctxt->input->cur > ctxt->input->base && (*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) {
+        if (ctxt->input->base > ctxt->input->cur - (len + 1)) {
+            return(NULL);
+        }
         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+    }
+    if (ctxt->input->base > ctxt->input->cur - len) {
+        return(NULL);
+    }
     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
 }
 
-- 
cgit v1.2.3