commit e4dc36f18a3ba06183168111052b7b4e213c740b
author Nikias Bassen <nikias@gmx.li> Tue Feb 07 03:03:15 2017 +0100
committer Nikias Bassen <nikias@gmx.li> Tue Feb 07 03:03:15 2017 +0100
tree fe50c564f3e87ddf101fb0e06daac8401d60b151
parent ca33a2b7aebf7cadd480a80d1eb2284406061b08

xplist: Prevent OOB read in two more cases

src/xplist.c

diff --git a/src/xplist.c b/src/xplist.c
index 7cee6de..d157200 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -546,6 +546,11 @@
         }
         if (*ctx->pos == '!') {
             ctx->pos++;
+            if (ctx->pos >= ctx->end-1) {
+                PLIST_XML_ERR("EOF while parsing <! special tag\n");
+                ctx->err++;
+                return NULL;
+            }
             if (*ctx->pos == '-' && *(ctx->pos+1) == '-') {
                 if (last) {
                     last = text_part_append(last, p, q-p, 0);
@@ -844,6 +849,11 @@
                 ctx->pos+=8;
                 while (ctx->pos < ctx->end) {
                     find_next(ctx, " \t\r\n[>", 6, 1);
+                    if (ctx->pos >= ctx->end) {
+                        PLIST_XML_ERR("EOF while parsing !DOCTYPE\n");
+                        ctx->err++;
+                        goto err_out;
+                    }
                     if (*ctx->pos == '[') {
                         embedded_dtd = 1;
                         break;