1From 643b4e90ebf619432b0287010b593edd8c0c0f8e Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Thu, 16 Feb 2023 14:45:06 +0100 4Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseStartTag 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/643b4e90ebf619432b0287010b593edd8c0c0f8e 9Conflict:NA 10--- 11 HTMLparser.c | 10 ++++++++-- 12 1 file changed, 8 insertions(+), 2 deletions(-) 13 14diff --git a/HTMLparser.c b/HTMLparser.c 15index 60dea30..0ccd6e8 100644 16--- a/HTMLparser.c 17+++ b/HTMLparser.c 18@@ -2570,6 +2570,7 @@ static const xmlChar * htmlParseNameComplex(xmlParserCtxtPtr ctxt); 19 20 static const xmlChar * 21 htmlParseHTMLName(htmlParserCtxtPtr ctxt) { 22+ const xmlChar *ret; 23 int i = 0; 24 xmlChar loc[HTML_PARSER_BUFFER_SIZE]; 25 26@@ -2587,7 +2588,11 @@ htmlParseHTMLName(htmlParserCtxtPtr ctxt) { 27 NEXT; 28 } 29 30- return(xmlDictLookup(ctxt->dict, loc, i)); 31+ ret = xmlDictLookup(ctxt->dict, loc, i); 32+ if (ret == NULL) 33+ htmlErrMemory(ctxt, NULL); 34+ 35+ return(ret); 36 } 37 38 39@@ -4020,7 +4025,8 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { 40 SKIP_BLANKS; 41 while ((CUR != 0) && 42 (CUR != '>') && 43- ((CUR != '/') || (NXT(1) != '>'))) { 44+ ((CUR != '/') || (NXT(1) != '>')) && 45+ (ctxt->instate != XML_PARSER_EOF)) { 46 GROW; 47 attname = htmlParseAttribute(ctxt, &attvalue); 48 if (attname != NULL) { 49-- 502.27.0 51 52