File libxml2-CVE-2017-9049.patch of Package libxml2

Overview Repositories Revisions Requests Users Attributes Meta

File libxml2-CVE-2017-9049.patch of Package libxml2

Index: libxml2-2.9.1/parser.c
===================================================================
--- libxml2-2.9.1.orig/parser.c
+++ libxml2-2.9.1/parser.c
@@ -2017,6 +2017,7 @@ static int spacePop(xmlParserCtxtPtr ctx
 #define CUR (*ctxt->input->cur)
 #define NXT(val) ctxt->input->cur[(val)]
 #define CUR_PTR ctxt->input->cur
+#define BASE_PTR ctxt->input->base
 
 #define CMP4( s, c1, c2, c3, c4 ) \
   ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \
@@ -3306,6 +3307,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx
     int len = 0, l;
     int c;
     int count = 0;
+    size_t startPosition = 0;
 
 #ifdef DEBUG
     nbParseNameComplex++;
@@ -3317,6 +3319,7 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx
     GROW;
     if (ctxt->instate == XML_PARSER_EOF)
         return(NULL);
+    startPosition = CUR_PTR - BASE_PTR;
     c = CUR_CHAR(l);
     if ((ctxt->options & XML_PARSE_OLD10) == 0) {
         /*
@@ -3414,9 +3417,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx
         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
         return(NULL);
     }
-    if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
-        return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
-    return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+
+    if (BASE_PTR + startPosition + len > ctxt->input->end)
+      return(NULL);
+
+    return(xmlDictLookup(ctxt->dict, BASE_PTR + startPosition, len));
 }
 
 /**

Places

File libxml2-CVE-2017-9049.patch of Package libxml2

Places