aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch
blob: bd9077d7c4b84f0c896a4dc6e720d8352e337676 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 23 Oct 2015 19:02:28 +0800
Subject: [PATCH] Another variation of overflow in Conditional sections

Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456

But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
---
 parser.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index a65e4cc..b9217ff 100644
--- a/parser.c
+++ b/parser.c
@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
 	"All markup of the conditional section is not in the same entity\n",
 				 NULL, NULL);
 	}
-        SKIP(3);
+	if ((ctxt-> instate != XML_PARSER_EOF) &&
+	    ((ctxt->input->cur + 3) < ctxt->input->end))
+	    SKIP(3);
     }
 }
 
-- 
2.6.3