tag CVE-2016-1839 Tagger: Daniel Veillard Date: Mon May 23 16:47:42 2016 +0800 CVE-2016-1839 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAldCw7IACgkQRga4pd6VvB9yrgCeOVXss73umaDp/EpkEnDqgSjD xVsAn0F0Bg3aSkJW/eaJfHpcUiTUZQkY =bYIc -----END PGP SIGNATURE----- commit a820dbeac29d330bae4be05d9ecd939ad6b4aa33 Author: Pranjal Jumde Date: Tue Mar 1 11:34:04 2016 -0800 Bug 758605: Heap-based buffer overread in xmlDictAddString Reviewed by David Kilzer. * HTMLparser.c: (htmlParseName): Add bounds check. (htmlParseNameComplex): Ditto. * result/HTML/758605.html: Added. * result/HTML/758605.html.err: Added. * result/HTML/758605.html.sax: Added. * runtest.c: (pushParseTest): The input for the new test case was so small (4 bytes) that htmlParseChunk() was never called after htmlCreatePushParserCtxt(), thereby creating a false positive test failure. Fixed by using a do-while loop so we always call htmlParseChunk() at least once. * test/HTML/758605.html: Added. Index: libxml2-2.7.6/HTMLparser.c =================================================================== --- libxml2-2.7.6.orig/HTMLparser.c +++ libxml2-2.7.6/HTMLparser.c @@ -2378,6 +2378,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { (*in == '_') || (*in == '-') || (*in == ':') || (*in == '.')) in++; + + if (in == ctxt->input->end) + return(NULL); + if ((*in > 0) && (*in < 0x80)) { count = in - ctxt->input->cur; ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); @@ -2421,6 +2425,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ct NEXTL(l); c = CUR_CHAR(l); } + + if (ctxt->input->base > ctxt->input->cur - len) + return(NULL); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); } Index: libxml2-2.7.6/result/HTML/758605.html =================================================================== --- /dev/null +++ libxml2-2.7.6/result/HTML/758605.html @@ -0,0 +1,3 @@ + +

& +

Index: libxml2-2.7.6/result/HTML/758605.html.err =================================================================== --- /dev/null +++ libxml2-2.7.6/result/HTML/758605.html.err @@ -0,0 +1,3 @@ +./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name +ê + ^ Index: libxml2-2.7.6/result/HTML/758605.html.sax =================================================================== --- /dev/null +++ libxml2-2.7.6/result/HTML/758605.html.sax @@ -0,0 +1,13 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.error: htmlParseEntityRef: no name +SAX.startElement(html) +SAX.startElement(body) +SAX.startElement(p) +SAX.characters(&, 1) +SAX.ignorableWhitespace( +, 1) +SAX.endElement(p) +SAX.endElement(body) +SAX.endElement(html) +SAX.endDocument() Index: libxml2-2.7.6/runtest.c =================================================================== --- libxml2-2.7.6.orig/runtest.c +++ libxml2-2.7.6/runtest.c @@ -1828,7 +1828,7 @@ pushParseTest(const char *filename, cons ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); xmlCtxtUseOptions(ctxt, options); cur += 4; - while (cur < size) { + do { if (cur + 1024 >= size) { #ifdef LIBXML_HTML_ENABLED if (options & XML_PARSE_HTML) @@ -1846,7 +1846,7 @@ pushParseTest(const char *filename, cons xmlParseChunk(ctxt, base + cur, 1024, 0); cur += 1024; } - } + } while (cur < size); doc = ctxt->myDoc; #ifdef LIBXML_HTML_ENABLED if (options & XML_PARSE_HTML) Index: libxml2-2.7.6/test/HTML/758605.html =================================================================== --- /dev/null +++ libxml2-2.7.6/test/HTML/758605.html @@ -0,0 +1 @@ +&: