|
1 Patch origin: community |
|
2 Patch status: unknown, needs to be verified by upstream |
|
3 |
|
4 https://bugzilla.gnome.org/show_bug.cgi?id=746048 |
|
5 |
|
6 diff --git a/HTMLparser.c b/HTMLparser.c |
|
7 index d329d3b..6f81424 100644 |
|
8 --- a/HTMLparser.c |
|
9 +++ b/HTMLparser.c |
|
10 @@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { |
|
11 ctxt->instate = state; |
|
12 return; |
|
13 } |
|
14 + if ((ctxt->input->end - ctxt->input->cur) < 3) { |
|
15 + ctxt->instate = XML_PARSER_EOF; |
|
16 + htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, |
|
17 + "Comment not terminated\n", NULL, NULL); |
|
18 + xmlFree(buf); |
|
19 + return; |
|
20 + } |
|
21 q = CUR_CHAR(ql); |
|
22 NEXTL(ql); |
|
23 r = CUR_CHAR(rl); |
|
24 NEXTL(rl); |
|
25 cur = CUR_CHAR(l); |
|
26 len = 0; |
|
27 - while (IS_CHAR(cur) && |
|
28 + while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) && |
|
29 ((cur != '>') || |
|
30 (r != '-') || (q != '-'))) { |
|
31 if (len + 5 >= size) { |
|
32 @@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { |
|
33 } |
|
34 } |
|
35 buf[len] = 0; |
|
36 - if (!IS_CHAR(cur)) { |
|
37 + if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) { |
|
38 htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, |
|
39 "Comment not terminated \n<!--%.50s\n", buf, NULL); |
|
40 xmlFree(buf); |
|
41 @@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { |
|
42 depth = ctxt->nameNr; |
|
43 while (1) { |
|
44 long cons = ctxt->nbChars; |
|
45 + long rem = ctxt->input->end - ctxt->input->cur; |
|
46 |
|
47 GROW; |
|
48 |
|
49 @@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { |
|
50 /* |
|
51 * Sometimes DOCTYPE arrives in the middle of the document |
|
52 */ |
|
53 - if ((CUR == '<') && (NXT(1) == '!') && |
|
54 + if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') && |
|
55 (UPP(2) == 'D') && (UPP(3) == 'O') && |
|
56 (UPP(4) == 'C') && (UPP(5) == 'T') && |
|
57 (UPP(6) == 'Y') && (UPP(7) == 'P') && |
|
58 @@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { |
|
59 /* |
|
60 * First case : a comment |
|
61 */ |
|
62 - if ((CUR == '<') && (NXT(1) == '!') && |
|
63 + if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') && |
|
64 (NXT(2) == '-') && (NXT(3) == '-')) { |
|
65 htmlParseComment(ctxt); |
|
66 } |
|
67 @@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { |
|
68 /* |
|
69 * Second case : a Processing Instruction. |
|
70 */ |
|
71 - else if ((CUR == '<') && (NXT(1) == '?')) { |
|
72 + else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) { |
|
73 htmlParsePI(ctxt); |
|
74 } |
|
75 |
|
76 /* |
|
77 * Third case : a sub-element. |
|
78 */ |
|
79 - else if (CUR == '<') { |
|
80 + else if ((rem >= 1) && (CUR == '<')) { |
|
81 htmlParseElementInternal(ctxt); |
|
82 if (currentNode != NULL) xmlFree(currentNode); |
|
83 |
|
84 @@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { |
|
85 * Fourth case : a reference. If if has not been resolved, |
|
86 * parsing returns it's Name, create the node |
|
87 */ |
|
88 - else if (CUR == '&') { |
|
89 + else if ((rem >= 1) && (CUR == '&')) { |
|
90 htmlParseReference(ctxt); |
|
91 } |
|
92 |