Fix sanity check in htmlParseNameComplex - (cur - len) can overflow. - Throw an internal error. Fixes bug 780077.

commit: f39e3be0dd9b3aa3ec47ff339b4934c16f6e5156 [log] [tgz]
author: Nick Wellnhofer <wellnhofer@aevum.de> Sun Jun 11 12:35:59 2017 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> Sun Jun 11 12:43:37 2017 +0200
tree: 3bee9de00285a8017dc3086c228639705325ac92
parent: 79c8a6b10593c709fd3ceea9deef35c1a3da70f0 [diff]
diff --git a/HTMLparser.c b/HTMLparser.c
index d1395fa..3198afa 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c

@@ -2528,8 +2528,12 @@
 	}
     }
 
-    if (ctxt->input->base > ctxt->input->cur - len)
-	return(NULL);
+    if (ctxt->input->cur - ctxt->input->base < len) {
+        /* Sanity check */
+	htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR,
+                     "unexpected change of input buffer", NULL, NULL);
+        return (NULL);
+    }
 
     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
 }
commit	f39e3be0dd9b3aa3ec47ff339b4934c16f6e5156	[log] [tgz]
author	Nick Wellnhofer <wellnhofer@aevum.de>	Sun Jun 11 12:35:59 2017 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	Sun Jun 11 12:43:37 2017 +0200
tree	3bee9de00285a8017dc3086c228639705325ac92
parent	79c8a6b10593c709fd3ceea9deef35c1a3da70f0 [diff]