From d7ea13f504a93c90e4b711bd3fc02b29a5380451 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Thu, 22 Sep 2022 16:49:32 +0200 Subject: tests: Cover leak of opening tag bindings after closing tag mismatch error --- expat/tests/runtests.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c index a8cc1f03..7477fa24 100644 --- a/expat/tests/runtests.c +++ b/expat/tests/runtests.c @@ -7927,6 +7927,28 @@ START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { } END_TEST +START_TEST(test_misc_tag_mismatch_reset_leak) { +#ifdef XML_NS + const char *const text = ""; + XML_Parser parser = XML_ParserCreateNS(NULL, XCS('\n')); + + if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE) != XML_STATUS_ERROR) + fail("Call to parse was expected to fail"); + if (XML_GetErrorCode(parser) != XML_ERROR_TAG_MISMATCH) + fail("Call to parse was expected to fail from a closing tag mismatch"); + + XML_ParserReset(parser, NULL); + + if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE) != XML_STATUS_ERROR) + fail("Call to parse was expected to fail"); + if (XML_GetErrorCode(parser) != XML_ERROR_TAG_MISMATCH) + fail("Call to parse was expected to fail from a closing tag mismatch"); + + XML_ParserFree(parser); +#endif +} +END_TEST + static void alloc_setup(void) { XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; @@ -12277,6 +12299,7 @@ make_suite(void) { tcase_add_test(tc_misc, test_misc_stop_during_end_handler_issue_240_2); tcase_add_test__ifdef_xml_dtd( tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); + tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak); suite_add_tcase(s, tc_alloc); tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); -- cgit v1.2.1 From 16a4db928bc75d93e798abb47c0b6696eef3355b Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Thu, 22 Sep 2022 16:51:17 +0200 Subject: lib: Stop leaking opening tag bindings after closing tag mismatch error .. by moving the opening tag onto the free tag list only *after* the tag match check has passed. --- expat/lib/xmlparse.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index 5e2c16b2..e415068b 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -3011,9 +3011,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, int len; const char *rawName; TAG *tag = parser->m_tagStack; - parser->m_tagStack = tag->parent; - tag->parent = parser->m_freeTagList; - parser->m_freeTagList = tag; rawName = s + enc->minBytesPerChar * 2; len = XmlNameLength(enc, rawName); if (len != tag->rawNameLength @@ -3021,6 +3018,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, *eventPP = rawName; return XML_ERROR_TAG_MISMATCH; } + parser->m_tagStack = tag->parent; + tag->parent = parser->m_freeTagList; + parser->m_freeTagList = tag; --parser->m_tagLevel; if (parser->m_endElementHandler) { const XML_Char *localPart; -- cgit v1.2.1 From 8510b2c551535a29a654c997d8af8239cbee7c8c Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Thu, 22 Sep 2022 17:11:59 +0200 Subject: Changes: Document #652 --- expat/Changes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/expat/Changes b/expat/Changes index e4db7700..9d0dff87 100644 --- a/expat/Changes +++ b/expat/Changes @@ -5,12 +5,16 @@ NOTE: We are looking for help with a few things: Release x.x.x xxx xxxxxxxxxxxx xx xxxx Bug fixes: #612 #645 Fix curruption from undefined entities + #616 #652 #653 Stop leaking opening tag bindings after a closing tag + mismatch error where a parser is reset through + XML_ParserReset and then reused to parse Other changes: #648 Address compiler warnings Special thanks to: Jann Horn + Mark Brand Rhodri James and Google Project Zero -- cgit v1.2.1