| From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 |
| From: Hugh Davenport <hugh@allthethings.co.nz> |
| Date: Fri, 20 Nov 2015 17:16:06 +0800 |
| Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode |
| |
| For https://bugzilla.gnome.org/show_bug.cgi?id=756372 |
| Error in the code pointing to the codepoint in the stack for the |
| current char value instead of the pointer in the input that the SAX |
| callback expects |
| Reported and fixed by Hugh Davenport |
| |
| Upstream-Status: Backport |
| |
| CVE-2015-8242 |
| |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| HTMLparser.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| diff --git a/HTMLparser.c b/HTMLparser.c |
| index bdf7807..b729197 100644 |
| --- a/HTMLparser.c |
| +++ b/HTMLparser.c |
| @@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { |
| if (ctxt->keepBlanks) { |
| if (ctxt->sax->characters != NULL) |
| ctxt->sax->characters( |
| - ctxt->userData, &cur, 1); |
| + ctxt->userData, &in->cur[0], 1); |
| } else { |
| if (ctxt->sax->ignorableWhitespace != NULL) |
| ctxt->sax->ignorableWhitespace( |
| - ctxt->userData, &cur, 1); |
| + ctxt->userData, &in->cur[0], 1); |
| } |
| } else { |
| htmlCheckParagraph(ctxt); |
| if (ctxt->sax->characters != NULL) |
| ctxt->sax->characters( |
| - ctxt->userData, &cur, 1); |
| + ctxt->userData, &in->cur[0], 1); |
| } |
| } |
| ctxt->token = 0; |
| -- |
| 2.3.5 |
| |