From: Sebastian Pipping Date: Sat, 18 Jun 2016 13:54:52 +0000 (+0200) Subject: Fix infinite loop X-Git-Tag: R_2_2_0~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1d4bc08a37e696de5cf414baa890d90c96764d64;p=libexpat Fix infinite loop Regression from 30145890579e3e7fca548129260b2ac6a545d2ef https://marcograss.github.io/security/android/chromium/2016/06/17/expat-xml-heap-overflow.html --- diff --git a/expat/Changes b/expat/Changes index 292c633f..512364d7 100644 --- a/expat/Changes +++ b/expat/Changes @@ -40,6 +40,7 @@ Release 2.2.0 Sat June 18 2016 Gustavo Grieco Karl Waclawek László Böszörményi + Marco Grassi Pascal Cuoq Sergei Nikulov Thomas Beutlich diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c index fd0ee222..5f779c05 100644 --- a/expat/lib/xmltok_impl.c +++ b/expat/lib/xmltok_impl.c @@ -1198,6 +1198,8 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *start; if (ptr >= end) return XML_TOK_NONE; + else if (! HAS_CHAR(enc, ptr, end)) + return XML_TOK_PARTIAL; start = ptr; while (HAS_CHAR(enc, ptr, end)) { switch (BYTE_TYPE(enc, ptr)) { @@ -1256,6 +1258,8 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *start; if (ptr >= end) return XML_TOK_NONE; + else if (! HAS_CHAR(enc, ptr, end)) + return XML_TOK_PARTIAL; start = ptr; while (HAS_CHAR(enc, ptr, end)) { switch (BYTE_TYPE(enc, ptr)) { diff --git a/htdocs/index.html b/htdocs/index.html index c76b514c..2cbbe852 100644 --- a/htdocs/index.html +++ b/htdocs/index.html @@ -120,6 +120,7 @@ of Expat.

  • Gustavo Grieco
  • Karl Waclawek
  • László Böszörményi
    • +
  • Marco Grassi
  • Pascal Cuoq
  • Sergei Nikulov
  • Thomas Beutlich