Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 1 | From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 |
| 2 | From: Hugh Davenport <hugh@allthethings.co.nz> |
| 3 | Date: Fri, 20 Nov 2015 17:16:06 +0800 |
| 4 | Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode |
| 5 | |
| 6 | For https://bugzilla.gnome.org/show_bug.cgi?id=756372 |
| 7 | Error in the code pointing to the codepoint in the stack for the |
| 8 | current char value instead of the pointer in the input that the SAX |
| 9 | callback expects |
| 10 | Reported and fixed by Hugh Davenport |
| 11 | |
| 12 | Upstream-Status: Backport |
| 13 | |
| 14 | CVE-2015-8242 |
| 15 | |
| 16 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 17 | |
| 18 | --- |
| 19 | HTMLparser.c | 6 +++--- |
| 20 | 1 file changed, 3 insertions(+), 3 deletions(-) |
| 21 | |
| 22 | diff --git a/HTMLparser.c b/HTMLparser.c |
| 23 | index bdf7807..b729197 100644 |
| 24 | --- a/HTMLparser.c |
| 25 | +++ b/HTMLparser.c |
| 26 | @@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { |
| 27 | if (ctxt->keepBlanks) { |
| 28 | if (ctxt->sax->characters != NULL) |
| 29 | ctxt->sax->characters( |
| 30 | - ctxt->userData, &cur, 1); |
| 31 | + ctxt->userData, &in->cur[0], 1); |
| 32 | } else { |
| 33 | if (ctxt->sax->ignorableWhitespace != NULL) |
| 34 | ctxt->sax->ignorableWhitespace( |
| 35 | - ctxt->userData, &cur, 1); |
| 36 | + ctxt->userData, &in->cur[0], 1); |
| 37 | } |
| 38 | } else { |
| 39 | htmlCheckParagraph(ctxt); |
| 40 | if (ctxt->sax->characters != NULL) |
| 41 | ctxt->sax->characters( |
| 42 | - ctxt->userData, &cur, 1); |
| 43 | + ctxt->userData, &in->cur[0], 1); |
| 44 | } |
| 45 | } |
| 46 | ctxt->token = 0; |
| 47 | -- |
| 48 | 2.3.5 |
| 49 | |