Hi,
We ran into a heap use after free in Chromium http://crbug.com/793715 that
I think I tracked down. I have a tentative patch attached to address it.
In parser.c, if a call to xmlCharEncInput() fails and has grown the buffer,
the ctxt object could still point to the old deleted buffer.
Thanks.
Jay
From 178f65add031108cc13ee8446fb8a5bd5ad9be88 Mon Sep 17 00:00:00 2001
From: Jay Civelli <jcive...@google.com>
Date: Thu, 28 Dec 2017 10:27:48 -0800
Subject: [PATCH] Fix heap use after free.
In parser.c, if a call to xmlCharEncInput() fails and has grown the
buffer, the ctxt object could still point to the old deleted buffer.
Make sure we always update the ctxt.
---
parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index a30dd18e..3a0b640b 100644
--- a/parser.c
+++ b/parser.c
@@ -12212,13 +12212,13 @@ xmldecl_done:
size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in, terminate);
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
if (nbchars < 0) {
/* TODO 2.6.0 */
xmlGenericError(xmlGenericErrorContext,
"xmlParseChunk: encoder error\n");
return(XML_ERR_INVALID_ENCODING);
}
- xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
--
2.15.1.620.gb9897f4670-goog
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
xml@gnome.org
https://mail.gnome.org/mailman/listinfo/xml
