Fix infinite loop

Regression from 30145890579e3e7fca548129260b2ac6a545d2ef

https://marcograss.github.io/security/android/chromium/2016/06/17/expat-xml-heap-overflow.html

diff --git a/expat/Changes b/expat/Changes
index 292c633f9dd4aebee903d4816c6d3e1d99240e14..512364d7cf2b25c6b1b5632d13d428352dd22702 100644 (file)
--- a/expat/Changes
+++ b/expat/Changes
@@ -40,6 +40,7 @@ Release 2.2.0 Sat June 18 2016
             Gustavo Grieco
             Karl Waclawek
             László Böszörményi
+            Marco Grassi
             Pascal Cuoq
             Sergei Nikulov
             Thomas Beutlich

diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c
index fd0ee222bc2abb72b25222fc6c5eea9da69cc92a..5f779c0571b5b16f5296adc0fc8336dce16e8b8d 100644 (file)
--- a/expat/lib/xmltok_impl.c
+++ b/expat/lib/xmltok_impl.c
@@ -1198,6 +1198,8 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr,
   const char *start;
   if (ptr >= end)
     return XML_TOK_NONE;
+  else if (! HAS_CHAR(enc, ptr, end))
+    return XML_TOK_PARTIAL;
   start = ptr;
   while (HAS_CHAR(enc, ptr, end)) {
     switch (BYTE_TYPE(enc, ptr)) {
@@ -1256,6 +1258,8 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr,
   const char *start;
   if (ptr >= end)
     return XML_TOK_NONE;
+  else if (! HAS_CHAR(enc, ptr, end))
+    return XML_TOK_PARTIAL;
   start = ptr;
   while (HAS_CHAR(enc, ptr, end)) {
     switch (BYTE_TYPE(enc, ptr)) {

diff --git a/htdocs/index.html b/htdocs/index.html
index c76b514c3d7e3d871e4276815c5eaa5250642f65..2cbbe8527a8e9113a01dd1facd67acba93e3ed5f 100644 (file)
--- a/htdocs/index.html
+++ b/htdocs/index.html
@@ -120,6 +120,7 @@ of Expat.</p>
       <li>Gustavo Grieco</li>
       <li>Karl Waclawek</li>
       <li>László Böszörményi</li>
+      <li>Marco Grassi</li>
       <li>Pascal Cuoq</li>
       <li>Sergei Nikulov</li>
       <li>Thomas Beutlich</li>