| From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 |
| From: Daniel Veillard <veillard@redhat.com> |
| Date: Fri, 23 Oct 2015 19:02:28 +0800 |
| Subject: [PATCH] Another variation of overflow in Conditional sections |
| |
| Which happen after the previous fix to |
| https://bugzilla.gnome.org/show_bug.cgi?id=756456 |
| |
| But stopping the parser and exiting we didn't pop the intermediary entities |
| and doing the SKIP there applies on an input which may be too small |
| |
| Upstream-Status: Backport |
| |
| CVE-2015-7942 |
| |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| parser.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/parser.c b/parser.c |
| index a65e4cc..b9217ff 100644 |
| --- a/parser.c |
| +++ b/parser.c |
| @@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
| "All markup of the conditional section is not in the same entity\n", |
| NULL, NULL); |
| } |
| - SKIP(3); |
| + if ((ctxt-> instate != XML_PARSER_EOF) && |
| + ((ctxt->input->cur + 3) < ctxt->input->end)) |
| + SKIP(3); |
| } |
| } |
| |
| -- |
| 2.3.5 |
| |