From 3a5520ccce42ac145794f2195cc60e8ae855a8cb Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Tue, 7 Feb 2017 04:19:44 +0100
Subject: xplist: Prevent some more strncmp related OOB reads
---
src/xplist.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/xplist.c b/src/xplist.c
index 1c166f5..e8f80fb 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -567,7 +567,7 @@ static text_part_t* get_text_parts(parse_ctx ctx, const char* tag, size_t tag_le
}
ctx->pos += 2;
find_str(ctx, "-->", 3, 0);
- if (ctx->pos >= ctx->end || strncmp(ctx->pos, "-->", 3) != 0) {
+ if (ctx->pos > ctx->end-3 || strncmp(ctx->pos, "-->", 3) != 0) {
PLIST_XML_ERR("EOF while looking for end of comment\n");
ctx->err++;
return NULL;
@@ -591,7 +591,7 @@ static text_part_t* get_text_parts(parse_ctx ctx, const char* tag, size_t tag_le
ctx->pos+=6;
p = ctx->pos;
find_str(ctx, "]]>", 3, 0);
- if (ctx->pos >= ctx->end || strncmp(ctx->pos, "]]>", 3) != 0) {
+ if (ctx->pos > ctx->end-3 || strncmp(ctx->pos, "]]>", 3) != 0) {
PLIST_XML_ERR("EOF while looking for end of CDATA block\n");
ctx->err++;
return NULL;
@@ -830,7 +830,7 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist, uint32_t depth)
if (*(ctx->pos) == '?') {
find_str(ctx, "?>", 2, 1);
- if (ctx->pos >= ctx->end-2) {
+ if (ctx->pos > ctx->end-2) {
PLIST_XML_ERR("EOF while looking for <? tag closing marker\n");
ctx->err++;
goto err_out;
@@ -847,7 +847,7 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist, uint32_t depth)
if (((ctx->end - ctx->pos) > 3) && !strncmp(ctx->pos, "!--", 3)) {
ctx->pos += 3;
find_str(ctx,"-->", 3, 0);
- if (strncmp(ctx->pos, "-->", 3)) {
+ if (ctx->pos > ctx->end-3 || strncmp(ctx->pos, "-->", 3)) {
PLIST_XML_ERR("Couldn't find end of comment\n");
ctx->err++;
goto err_out;
--
cgit v1.1-32-gdbae