Fix sanity check in htmlParseNameComplex
- (cur - len) can overflow.
- Throw an internal error.
Fixes bug 780077.
diff --git a/HTMLparser.c b/HTMLparser.c
index d1395fa..3198afa 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -2528,8 +2528,12 @@
}
}
- if (ctxt->input->base > ctxt->input->cur - len)
- return(NULL);
+ if (ctxt->input->cur - ctxt->input->base < len) {
+ /* Sanity check */
+ htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "unexpected change of input buffer", NULL, NULL);
+ return (NULL);
+ }
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
}