Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
Reviewed by David Kilzer.
* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure. Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.
diff --git a/runtest.c b/runtest.c
index 36fbe5a..bb74d2a 100644
--- a/runtest.c
+++ b/runtest.c
@@ -1873,7 +1873,7 @@
ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
xmlCtxtUseOptions(ctxt, options);
cur += 4;
- while (cur < size) {
+ do {
if (cur + 1024 >= size) {
#ifdef LIBXML_HTML_ENABLED
if (options & XML_PARSE_HTML)
@@ -1891,7 +1891,7 @@
xmlParseChunk(ctxt, base + cur, 1024, 0);
cur += 1024;
}
- }
+ } while (cur < size);
doc = ctxt->myDoc;
#ifdef LIBXML_HTML_ENABLED
if (options & XML_PARSE_HTML)