20912751 problem in LIBRARY/LIBXML
authorPetr Sumbera <petr.sumbera@oracle.com>
Fri, 19 Jun 2015 06:25:20 -0700
changeset 4533 7a8571820e6e
parent 4532 0f27eb7ee42c
child 4535 9db481b06f4f
20912751 problem in LIBRARY/LIBXML
components/libxml2/patches/Bug746048.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/Bug746048.patch	Fri Jun 19 06:25:20 2015 -0700
@@ -0,0 +1,92 @@
+Patch origin: community
+Patch status: unknown, needs to be verified by upstream
+
+https://bugzilla.gnome.org/show_bug.cgi?id=746048
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index d329d3b..6f81424 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
[email protected]@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	ctxt->instate = state;
+ 	return;
+     }
++    if ((ctxt->input->end - ctxt->input->cur) < 3) {
++        ctxt->instate = XML_PARSER_EOF;
++        htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++                     "Comment not terminated\n", NULL, NULL);
++        xmlFree(buf);
++        return;
++    }
+     q = CUR_CHAR(ql);
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+     len = 0;
+-    while (IS_CHAR(cur) &&
++    while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
+ 	if (len + 5 >= size) {
[email protected]@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
+ 	}
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
++    if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) {
+ 	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+ 	             "Comment not terminated \n<!--%.50s\n", buf, NULL);
+ 	xmlFree(buf);
[email protected]@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+     depth = ctxt->nameNr;
+     while (1) {
+ 	long cons = ctxt->nbChars;
++    long rem = ctxt->input->end - ctxt->input->cur;
+ 
+         GROW;
+ 
[email protected]@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	    /*
+ 	     * Sometimes DOCTYPE arrives in the middle of the document
+ 	     */
+-	    if ((CUR == '<') && (NXT(1) == '!') &&
++	    if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') &&
+ 		(UPP(2) == 'D') && (UPP(3) == 'O') &&
+ 		(UPP(4) == 'C') && (UPP(5) == 'T') &&
+ 		(UPP(6) == 'Y') && (UPP(7) == 'P') &&
[email protected]@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	    /*
+ 	     * First case :  a comment
+ 	     */
+-	    if ((CUR == '<') && (NXT(1) == '!') &&
++	    if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') &&
+ 		(NXT(2) == '-') && (NXT(3) == '-')) {
+ 		htmlParseComment(ctxt);
+ 	    }
[email protected]@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	    /*
+ 	     * Second case : a Processing Instruction.
+ 	     */
+-	    else if ((CUR == '<') && (NXT(1) == '?')) {
++	    else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) {
+ 		htmlParsePI(ctxt);
+ 	    }
+ 
+ 	    /*
+ 	     * Third case :  a sub-element.
+ 	     */
+-	    else if (CUR == '<') {
++	    else if ((rem >= 1) && (CUR == '<')) {
+ 		htmlParseElementInternal(ctxt);
+ 		if (currentNode != NULL) xmlFree(currentNode);
+ 
[email protected]@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
+ 	     * Fourth case : a reference. If if has not been resolved,
+ 	     *    parsing returns it's Name, create the node
+ 	     */
+-	    else if (CUR == '&') {
++	    else if ((rem >= 1) && (CUR == '&')) {
+ 		htmlParseReference(ctxt);
+ 	    }
+