This is another fuzzing bug from chromium.
The entity parsing code in tree.c is getting integer overflow when a very
long, invalid hex (or decimal) entity is used: e.g. #xabcdefabcdef;
For these cases, I am setting the error to XML_TREE_UNTERMINATED_ENTITY.
The other 2 existing codes are XML_TREE_INVALID_HEX, XML_TREE_INVALID_DEC.
I thought unterminated is the better choice, but maybe a new code such as
XML_TREE_INVALID_CHAR could be used.
See crbug.com/796804
From c3d07d925ad85d3a26a609bc544b388426255df4 Mon Sep 17 00:00:00 2001
From: Joel Hockey <joel.hoc...@gmail.com>
Date: Wed, 3 Jan 2018 18:52:36 -0800
Subject: [PATCH] Check hex or decimal entity for overflow
---
tree.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/tree.c b/tree.c
index 959421bd..ab48909a 100644
--- a/tree.c
+++ b/tree.c
@@ -1527,6 +1527,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
charval = 0;
break;
}
+ if (charval > 0x10FFFF) {
+ xmlTreeErr(XML_TREE_UNTERMINATED_ENTITY, (xmlNodePtr) doc,
+ NULL);
+ charval = 0;
+ break;
+ }
cur++;
tmp = *cur;
}
@@ -1545,6 +1551,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
charval = 0;
break;
}
+ if (charval > 0x10FFFF) {
+ xmlTreeErr(XML_TREE_UNTERMINATED_ENTITY, (xmlNodePtr) doc,
+ NULL);
+ charval = 0;
+ break;
+ }
cur++;
tmp = *cur;
}
--
2.16.0.rc0.223.g4a4ac83678-goog
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml
