1From 44ecefc8cc299a66ac21ffec141eb261e92638da Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Mon, 20 Mar 2023 15:52:38 +0100 4Subject: [PATCH] malloc-fail: Fix buffer overread after htmlParseScript 5 6Found by OSS-Fuzz, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/44ecefc8cc299a66ac21ffec141eb261e92638da 9Conflict:HTMLparser.c 10 11--- 12 HTMLparser.c | 2 +- 13 1 file changed, 1 insertion(+), 1 deletion(-) 14 15diff --git a/HTMLparser.c b/HTMLparser.c 16index 0cc9824..4f1a3d8 100644 17--- a/HTMLparser.c 18+++ b/HTMLparser.c 19@@ -3137,6 +3137,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { 20 htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, 21 "Invalid char in CDATA 0x%X\n", cur); 22 } 23+ NEXTL(l); 24 if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { 25 buf[nbchar] = 0; 26 if (ctxt->sax->cdataBlock!= NULL) { 27@@ -3149,7 +3150,6 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { 28 } 29 nbchar = 0; 30 } 31- NEXTL(l); 32 GROW; 33 cur = CUR_CHAR(l); 34 } 35-- 362.27.0 37 38