153aa9179Sopenharmony_ciFrom 44ecefc8cc299a66ac21ffec141eb261e92638da Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Mon, 20 Mar 2023 15:52:38 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix buffer overread after htmlParseScript 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound by OSS-Fuzz, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/44ecefc8cc299a66ac21ffec141eb261e92638da 953aa9179Sopenharmony_ciConflict:HTMLparser.c 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_ci--- 1253aa9179Sopenharmony_ci HTMLparser.c | 2 +- 1353aa9179Sopenharmony_ci 1 file changed, 1 insertion(+), 1 deletion(-) 1453aa9179Sopenharmony_ci 1553aa9179Sopenharmony_cidiff --git a/HTMLparser.c b/HTMLparser.c 1653aa9179Sopenharmony_ciindex 0cc9824..4f1a3d8 100644 1753aa9179Sopenharmony_ci--- a/HTMLparser.c 1853aa9179Sopenharmony_ci+++ b/HTMLparser.c 1953aa9179Sopenharmony_ci@@ -3137,6 +3137,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { 2053aa9179Sopenharmony_ci htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, 2153aa9179Sopenharmony_ci "Invalid char in CDATA 0x%X\n", cur); 2253aa9179Sopenharmony_ci } 2353aa9179Sopenharmony_ci+ NEXTL(l); 2453aa9179Sopenharmony_ci if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { 2553aa9179Sopenharmony_ci buf[nbchar] = 0; 2653aa9179Sopenharmony_ci if (ctxt->sax->cdataBlock!= NULL) { 2753aa9179Sopenharmony_ci@@ -3149,7 +3150,6 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { 2853aa9179Sopenharmony_ci } 2953aa9179Sopenharmony_ci nbchar = 0; 3053aa9179Sopenharmony_ci } 3153aa9179Sopenharmony_ci- NEXTL(l); 3253aa9179Sopenharmony_ci GROW; 3353aa9179Sopenharmony_ci cur = CUR_CHAR(l); 3453aa9179Sopenharmony_ci } 3553aa9179Sopenharmony_ci-- 3653aa9179Sopenharmony_ci2.27.0 3753aa9179Sopenharmony_ci 38