1 Patch origin: community

     2 Patch status: unknown, needs to be verified by upstream

     3 

     4 https://bugzilla.gnome.org/show_bug.cgi?id=746048

     5 

     6 diff --git a/HTMLparser.c b/HTMLparser.c

     7 index d329d3b..6f81424 100644

     8 --- a/HTMLparser.c

     9 +++ b/HTMLparser.c

    10 @@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {

    11  	ctxt->instate = state;

    12  	return;

    13      }

    14 +    if ((ctxt->input->end - ctxt->input->cur) < 3) {

    15 +        ctxt->instate = XML_PARSER_EOF;

    16 +        htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,

    17 +                     "Comment not terminated\n", NULL, NULL);

    18 +        xmlFree(buf);

    19 +        return;

    20 +    }

    21      q = CUR_CHAR(ql);

    22      NEXTL(ql);

    23      r = CUR_CHAR(rl);

    24      NEXTL(rl);

    25      cur = CUR_CHAR(l);

    26      len = 0;

    27 -    while (IS_CHAR(cur) &&

    28 +    while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) &&

    29             ((cur != '>') ||

    30  	    (r != '-') || (q != '-'))) {

    31  	if (len + 5 >= size) {

    32 @@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {

    33  	}

    34      }

    35      buf[len] = 0;

    36 -    if (!IS_CHAR(cur)) {

    37 +    if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) {

    38  	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,

    39  	             "Comment not terminated \n<!--%.50s\n", buf, NULL);

    40  	xmlFree(buf);

    41 @@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {

    42      depth = ctxt->nameNr;

    43      while (1) {

    44  	long cons = ctxt->nbChars;

    45 +    long rem = ctxt->input->end - ctxt->input->cur;

    46  

    47          GROW;

    48  

    49 @@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {

    50  	    /*

    51  	     * Sometimes DOCTYPE arrives in the middle of the document

    52  	     */

    53 -	    if ((CUR == '<') && (NXT(1) == '!') &&

    54 +	    if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') &&

    55  		(UPP(2) == 'D') && (UPP(3) == 'O') &&

    56  		(UPP(4) == 'C') && (UPP(5) == 'T') &&

    57  		(UPP(6) == 'Y') && (UPP(7) == 'P') &&

    58 @@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {

    59  	    /*

    60  	     * First case :  a comment

    61  	     */

    62 -	    if ((CUR == '<') && (NXT(1) == '!') &&

    63 +	    if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') &&

    64  		(NXT(2) == '-') && (NXT(3) == '-')) {

    65  		htmlParseComment(ctxt);

    66  	    }

    67 @@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {

    68  	    /*

    69  	     * Second case : a Processing Instruction.

    70  	     */

    71 -	    else if ((CUR == '<') && (NXT(1) == '?')) {

    72 +	    else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) {

    73  		htmlParsePI(ctxt);

    74  	    }

    75  

    76  	    /*

    77  	     * Third case :  a sub-element.

    78  	     */

    79 -	    else if (CUR == '<') {

    80 +	    else if ((rem >= 1) && (CUR == '<')) {

    81  		htmlParseElementInternal(ctxt);

    82  		if (currentNode != NULL) xmlFree(currentNode);

    83  

    84 @@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {

    85  	     * Fourth case : a reference. If if has not been resolved,

    86  	     *    parsing returns it's Name, create the node

    87  	     */

    88 -	    else if (CUR == '&') {

    89 +	    else if ((rem >= 1) && (CUR == '&')) {

    90  		htmlParseReference(ctxt);

    91  	    }

    92