From 37bc5395ae2489db988b37b4dba070c584b516ca Mon Sep 17 00:00:00 2001 From: Hugh Davenport Date: Fri, 20 Nov 2015 17:16:06 +0800 Subject: [PATCH 18/18] CVE-2015-8242 Buffer overead with HTML parser in push mode For https://bugzilla.gnome.org/show_bug.cgi?id=756372 Error in the code pointing to the codepoint in the stack for the current char value instead of the pointer in the input that the SAX callback expects Reported and fixed by Hugh Davenport --- HTMLparser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/HTMLparser.c b/HTMLparser.c index bdf7807..b729197 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { if (ctxt->keepBlanks) { if (ctxt->sax->characters != NULL) ctxt->sax->characters( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } else { if (ctxt->sax->ignorableWhitespace != NULL) ctxt->sax->ignorableWhitespace( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } } else { htmlCheckParagraph(ctxt); if (ctxt->sax->characters != NULL) ctxt->sax->characters( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } } ctxt->token = 0; -- 2.5.0