diff options
Diffstat (limited to 'debian/patches/0058-Fix-upstream-bug-299127.patch')
-rw-r--r-- | debian/patches/0058-Fix-upstream-bug-299127.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/debian/patches/0058-Fix-upstream-bug-299127.patch b/debian/patches/0058-Fix-upstream-bug-299127.patch new file mode 100644 index 0000000..b42b8ee --- /dev/null +++ b/debian/patches/0058-Fix-upstream-bug-299127.patch @@ -0,0 +1,99 @@ +From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org> +Date: Tue, 25 Aug 2015 23:17:02 +0200 +Subject: Fix upstream bug 299127 + +Out of bound access when parsing unclosed comment + +Author: Francois Chagnon +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=746048 +--- + HTMLparser.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 8d34fd1..69ccfd3 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + ctxt->instate = state; + return; + } ++ if ((ctxt->input->end - ctxt->input->cur) < 3) { ++ ctxt->instate = XML_PARSER_EOF; ++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment not terminated\n", NULL, NULL); ++ xmlFree(buf); ++ return; ++ } + q = CUR_CHAR(ql); + NEXTL(ql); + r = CUR_CHAR(rl); + NEXTL(rl); + cur = CUR_CHAR(l); + len = 0; +- while (IS_CHAR(cur) && ++ while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { + if (len + 5 >= size) { +@@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { ++ if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) { + htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment not terminated \n<!--%.50s\n", buf, NULL); + xmlFree(buf); +@@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + depth = ctxt->nameNr; + while (1) { + long cons = ctxt->nbChars; ++ long rem = ctxt->input->end - ctxt->input->cur; + + GROW; + +@@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + /* + * Sometimes DOCTYPE arrives in the middle of the document + */ +- if ((CUR == '<') && (NXT(1) == '!') && ++ if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') && + (UPP(2) == 'D') && (UPP(3) == 'O') && + (UPP(4) == 'C') && (UPP(5) == 'T') && + (UPP(6) == 'Y') && (UPP(7) == 'P') && +@@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + /* + * First case : a comment + */ +- if ((CUR == '<') && (NXT(1) == '!') && ++ if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') && + (NXT(2) == '-') && (NXT(3) == '-')) { + htmlParseComment(ctxt); + } +@@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + /* + * Second case : a Processing Instruction. + */ +- else if ((CUR == '<') && (NXT(1) == '?')) { ++ else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) { + htmlParsePI(ctxt); + } + + /* + * Third case : a sub-element. + */ +- else if (CUR == '<') { ++ else if ((rem >= 1) && (CUR == '<')) { + htmlParseElementInternal(ctxt); + if (currentNode != NULL) xmlFree(currentNode); + +@@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + * Fourth case : a reference. If if has not been resolved, + * parsing returns it's Name, create the node + */ +- else if (CUR == '&') { ++ else if ((rem >= 1) && (CUR == '&')) { + htmlParseReference(ctxt); + } + |