On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer <wellnho...@aevum.de>
wrote:
> On 02/01/2018 20:08, Jay Civelli via xml wrote:
>
>> We ran into a heap use after free in Chromium http://crbug.com/793715 <
>> http://crbug.com/793715> that I think I tracked down.
>>
>
> I don't have access to this page.
You should have access now.
>
>
> I have a tentative patch attached to address it.
>> In parser.c, if a call to xmlCharEncInput() fails and has grown the
>> buffer, the ctxt object could still point to the old deleted buffer.
>>
>
> Maybe it's better to call xmlHaltParser if xmlCharEncInput fails. That's
> what the other code path in xmlParseChunk does.
Good idea, done in new attached patch. Note that I changed the error from
the existing from XML_ERR_INVALID_ENCODING to XML_ERR_INVALID_CHAR which
seemed to make more sense.
Jay
>
>
> Nick
>
From 89632441fba22400cc5b1e413766aa2f32ff5f91 Mon Sep 17 00:00:00 2001
From: Jay Civelli <jcive...@google.com>
Date: Mon, 8 Jan 2018 13:38:39 -0800
Subject: [PATCH] Fix heap use after free.
In parser.c, if a call to xmlCharEncInput() fails and has grown
the buffer, the ctxt object could still point to the old deleted
buffer.
Halt the parsing in such a case.
---
parser.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/parser.c b/parser.c
index a30dd18e..823793c4 100644
--- a/parser.c
+++ b/parser.c
@@ -12214,9 +12214,9 @@ xmldecl_done:
nbchars = xmlCharEncInput(in, terminate);
if (nbchars < 0) {
/* TODO 2.6.0 */
- xmlGenericError(xmlGenericErrorContext,
- "xmlParseChunk: encoder error\n");
- return(XML_ERR_INVALID_ENCODING);
+ ctxt->errNo = XML_ERR_INVALID_CHAR;
+ xmlHaltParser(ctxt);
+ return (XML_ERR_INVALID_CHAR);
}
xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
--
2.16.0.rc0.223.g4a4ac83678-goog
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml
