1*ebc59d3fSDon LewisFrom 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 2*ebc59d3fSDon LewisFrom: Zhipeng Xie <xiezhipeng1@huawei.com> 3*ebc59d3fSDon LewisDate: Thu, 12 Dec 2019 17:30:55 +0800 4*ebc59d3fSDon LewisSubject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities 5*ebc59d3fSDon Lewis 6*ebc59d3fSDon LewisWhen ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef 7*ebc59d3fSDon Lewisreturn NULL which cause a infinite loop in xmlStringLenDecodeEntities 8*ebc59d3fSDon Lewis 9*ebc59d3fSDon LewisFound with libFuzzer. 10*ebc59d3fSDon Lewis 11*ebc59d3fSDon LewisSigned-off-by: Zhipeng Xie <xiezhipeng1@huawei.com> 12*ebc59d3fSDon Lewis--- 13*ebc59d3fSDon Lewis parser.c | 3 ++- 14*ebc59d3fSDon Lewis 1 file changed, 2 insertions(+), 1 deletion(-) 15*ebc59d3fSDon Lewis 16*ebc59d3fSDon Lewisdiff --git misc/libxml2-2.9.10/parser.c misc/build/libxml2-2.9.10/parser.c 17*ebc59d3fSDon Lewisindex d1c319631..a34bb6cdd 100644 18*ebc59d3fSDon Lewis--- misc/libxml2-2.9.10/parser.c 19*ebc59d3fSDon Lewis+++ misc/build/libxml2-2.9.10/parser.c 20*ebc59d3fSDon Lewis@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, 21*ebc59d3fSDon Lewis else 22*ebc59d3fSDon Lewis c = 0; 23*ebc59d3fSDon Lewis while ((c != 0) && (c != end) && /* non input consuming loop */ 24*ebc59d3fSDon Lewis- (c != end2) && (c != end3)) { 25*ebc59d3fSDon Lewis+ (c != end2) && (c != end3) && 26*ebc59d3fSDon Lewis+ (ctxt->instate != XML_PARSER_EOF)) { 27*ebc59d3fSDon Lewis 28*ebc59d3fSDon Lewis if (c == 0) break; 29*ebc59d3fSDon Lewis if ((c == '&') && (str[1] == '#')) { 30*ebc59d3fSDon Lewis-- 31*ebc59d3fSDon LewisGitLab 32*ebc59d3fSDon Lewis 33