Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> Reviewed by David Kilzer. * HTMLparser.c: (htmlParseName): Add bounds check. (htmlParseNameComplex): Ditto. * result/HTML/758605.html: Added. * result/HTML/758605.html.err: Added. * result/HTML/758605.html.sax: Added. * runtest.c: (pushParseTest): The input for the new test case was so small (4 bytes) that htmlParseChunk() was never called after htmlCreatePushParserCtxt(), thereby creating a false positive test failure. Fixed by using a do-while loop so we always call htmlParseChunk() at least once. * test/HTML/758605.html: Added.

commit: a820dbeac29d330bae4be05d9ecd939ad6b4aa33 [log] [tgz]
author: Pranjal Jumde <pjumde@apple.com> Tue Mar 01 11:34:04 2016 -0800
committer: Daniel Veillard <veillard@redhat.com> Mon May 23 15:01:07 2016 +0800
tree: 1f027e11ed873ef1b0535af7e98f8c5fa0e3d73a
parent: db07dd613e461df93dde7902c6505629bf0734e9 [diff] [blame]
diff --git a/runtest.c b/runtest.c
index 36fbe5a..bb74d2a 100644
--- a/runtest.c
+++ b/runtest.c

@@ -1873,7 +1873,7 @@
     ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
     xmlCtxtUseOptions(ctxt, options);
     cur += 4;
-    while (cur < size) {
+    do {
         if (cur + 1024 >= size) {
 #ifdef LIBXML_HTML_ENABLED
 	    if (options & XML_PARSE_HTML)
@@ -1891,7 +1891,7 @@
 	    xmlParseChunk(ctxt, base + cur, 1024, 0);
 	    cur += 1024;
 	}
-    }
+    } while (cur < size);
     doc = ctxt->myDoc;
 #ifdef LIBXML_HTML_ENABLED
     if (options & XML_PARSE_HTML)
commit	a820dbeac29d330bae4be05d9ecd939ad6b4aa33	[log] [tgz]
author	Pranjal Jumde <pjumde@apple.com>	Tue Mar 01 11:34:04 2016 -0800
committer	Daniel Veillard <veillard@redhat.com>	Mon May 23 15:01:07 2016 +0800
tree	1f027e11ed873ef1b0535af7e98f8c5fa0e3d73a
parent	db07dd613e461df93dde7902c6505629bf0734e9 [diff] [blame]