153aa9179Sopenharmony_ciFrom 4b3452d17123631ec43d532b83dc182c1a638fed Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Wed, 15 Mar 2023 16:56:36 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] html: Fix quadratic behavior in htmlParseTryOrFinish 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFix check for end of script content. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciFound by OSS-Fuzz. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/4b3452d17123631ec43d532b83dc182c1a638fed 1153aa9179Sopenharmony_ciConflict:NA 1253aa9179Sopenharmony_ci 1353aa9179Sopenharmony_ci--- 1453aa9179Sopenharmony_ci HTMLparser.c | 8 +++++++- 1553aa9179Sopenharmony_ci 1 file changed, 7 insertions(+), 1 deletion(-) 1653aa9179Sopenharmony_ci 1753aa9179Sopenharmony_cidiff --git a/HTMLparser.c b/HTMLparser.c 1853aa9179Sopenharmony_ciindex b76218c..6c8f180 100644 1953aa9179Sopenharmony_ci--- a/HTMLparser.c 2053aa9179Sopenharmony_ci+++ b/HTMLparser.c 2153aa9179Sopenharmony_ci@@ -5984,8 +5984,14 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { 2253aa9179Sopenharmony_ci if (idx < 0) 2353aa9179Sopenharmony_ci goto done; 2453aa9179Sopenharmony_ci val = in->cur[idx + 2]; 2553aa9179Sopenharmony_ci- if (val == 0) /* bad cut of input */ 2653aa9179Sopenharmony_ci+ if (val == 0) { /* bad cut of input */ 2753aa9179Sopenharmony_ci+ /* 2853aa9179Sopenharmony_ci+ * FIXME: htmlParseScript checks for additional 2953aa9179Sopenharmony_ci+ * characters after '</'. 3053aa9179Sopenharmony_ci+ */ 3153aa9179Sopenharmony_ci+ ctxt->checkIndex = idx; 3253aa9179Sopenharmony_ci goto done; 3353aa9179Sopenharmony_ci+ } 3453aa9179Sopenharmony_ci } 3553aa9179Sopenharmony_ci htmlParseScript(ctxt); 3653aa9179Sopenharmony_ci if ((cur == '<') && (next == '/')) { 3753aa9179Sopenharmony_ci-- 3853aa9179Sopenharmony_ci2.27.0 3953aa9179Sopenharmony_ci 40