[libxml2] ChunkParser: Incorrect decoding of small xml files
- From: Daniel Veillard <veillard src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] ChunkParser: Incorrect decoding of small xml files
- Date: Mon, 15 Mar 2010 09:14:38 +0000 (UTC)
commit ba9716a1978001d5a7560cfcf46fe4846c36bbc0
Author: Raul Hudea <rhudea adobe com>
Date: Mon Mar 15 10:13:29 2010 +0100
ChunkParser: Incorrect decoding of small xml files
if encoding was autodetected, in xmlParseChunk, if initial size is 86 (a
chunk in UTF-16 encoding), the code that tries to read only the first line
will set the size to 90, which eventually leads to a memmove of 90 bytes
(in xmlBufferAdd) which will copy extra random memory bytes, which will
make the parser to fail because of these extra bytes.
parser.c | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
---
diff --git a/parser.c b/parser.c
index 0834d13..85e7599 100644
--- a/parser.c
+++ b/parser.c
@@ -11562,8 +11562,17 @@ xmldecl_done:
if (ctxt->input->buf->rawconsumed < len)
len -= ctxt->input->buf->rawconsumed;
- remain = size - len;
- size = len;
+ /*
+ * Change size for reading the initial declaration only
+ * if size is greater than len. Otherwise, memmove in xmlBufferAdd
+ * will blindly copy extra bytes from memory.
+ */
+ if (size > len) {
+ remain = size - len;
+ size = len;
+ } else {
+ remain = 0;
+ }
}
res =xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
if (res < 0) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]