Someone found a bug hiding in a corner, caught it !
- parser.c: fixing bug 52299 strange condition leading
to a parser crash due to a buffer overflow
- result/noent/attrib.xml result/attrib.xml test/attrib.xml:
added the specific test case
Daniel
diff --git a/parser.c b/parser.c
index deb02d2..b5352f9 100644
--- a/parser.c
+++ b/parser.c
@@ -2156,6 +2156,9 @@
buf[len++] = *current++;
}
} else {
+ if (len > buf_size - 10) {
+ growBuffer(buf);
+ }
len += xmlCopyChar(0, &buf[len], val);
}
} else {
@@ -2178,6 +2181,9 @@
xmlFree(rep);
}
} else {
+ if (len > buf_size - 10) {
+ growBuffer(buf);
+ }
if (ent->content != NULL)
buf[len++] = ent->content[0];
}