Re: [xml] [PATCH] Check hex or decimal entity for overflow

Mon, 08 Jan 2018 15:56:13 -0800 

Updated patch with XML_ERR_INVALID_CHAR.

On Tue, Jan 9, 2018 at 5:55 AM, Nick Wellnhofer <wellnho...@aevum.de> wrote:

> On 08/01/2018 02:06, Joel Hockey wrote:
>
>> The entity parsing code in tree.c is getting integer overflow when a very
>> long, invalid hex (or decimal) entity is used:  e.g. #xabcdefabcdef;
>>
>
> This is probably the same issue as
>
>     https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
>
> Also see
>
>     https://bugzilla.gnome.org/show_bug.cgi?id=783052
>
> The issue only arises in "recovery" mode (XML_PARSE_RECOVER). In the past,
> I tried to fix similar issues by not adding nodes containing invalid
> character references at all in an earlier stage of the parsing code, but
> I'm fine with your approach.
>
> For these cases, I am setting the error to XML_TREE_UNTERMINATED_ENTITY.
>> The other 2 existing codes are XML_TREE_INVALID_HEX, XML_TREE_INVALID_DEC.
>> I thought unterminated is the better choice, but maybe a new code such as
>> XML_TREE_INVALID_CHAR could be used.
>>
>
> Regarding the error code, we could simply use XML_ERR_INVALID_CHAR or not
> report an error at all since invalid numeric character references are
> already detected and reported earlier.
>
> Nick
>

From 0382b8a9754b4a9d8e4edffabf916f071b3806fc Mon Sep 17 00:00:00 2001
From: Joel Hockey <joel.hoc...@gmail.com>
Date: Wed, 3 Jan 2018 18:52:36 -0800
Subject: [PATCH] Check hex or decimal entity for overflow

---
 tree.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tree.c b/tree.c
index 959421bd..2089a932 100644
--- a/tree.c
+++ b/tree.c
@@ -1527,6 +1527,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 			charval = 0;
 			break;
 		    }
+		    if (charval > 0x10FFFF) {
+			xmlTreeErr(XML_ERR_INVALID_CHAR, (xmlNodePtr) doc,
+			           NULL);
+			charval = 0;
+			break;
+		    }
 		    cur++;
 		    tmp = *cur;
 		}
@@ -1545,6 +1551,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 			charval = 0;
 			break;
 		    }
+		    if (charval > 0x10FFFF) {
+			xmlTreeErr(XML_ERR_INVALID_CHAR, (xmlNodePtr) doc,
+			           NULL);
+			charval = 0;
+			break;
+		    }
 		    cur++;
 		    tmp = *cur;
 		}
-- 
2.16.0.rc0.223.g4a4ac83678-goog


_______________________________________________
xml mailing list, project page  http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml

Reply via email to