CVE-2015-8242 Buffer overead with HTML parser in push mode For https://bugzilla.gnome.org/show_bug.cgi?id=756372 Error in the code pointing to the codepoint in the stack for the current char value instead of the pointer in the input that the SAX callback expects Reported and fixed by Hugh Davenport

commit: 8fb4a770075628d6441fb17a1e435100e2f3b1a2 [log] [tgz]
author: Hugh Davenport <hugh@allthethings.co.nz> Fri Nov 20 17:16:06 2015 +0800
committer: Daniel Veillard <veillard@redhat.com> Fri Nov 20 17:16:06 2015 +0800
tree: b196187045e8ae080804e71ee65f6d9940491d95
parent: f1063fdbe7fa66332bbb76874101c2a7b51b519f [diff]
diff --git a/HTMLparser.c b/HTMLparser.c
index bdf7807..b729197 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c

@@ -5735,17 +5735,17 @@
 				if (ctxt->keepBlanks) {
 				    if (ctxt->sax->characters != NULL)
 					ctxt->sax->characters(
-						ctxt->userData, &cur, 1);
+						ctxt->userData, &in->cur[0], 1);
 				} else {
 				    if (ctxt->sax->ignorableWhitespace != NULL)
 					ctxt->sax->ignorableWhitespace(
-						ctxt->userData, &cur, 1);
+						ctxt->userData, &in->cur[0], 1);
 				}
 			    } else {
 				htmlCheckParagraph(ctxt);
 				if (ctxt->sax->characters != NULL)
 				    ctxt->sax->characters(
-					    ctxt->userData, &cur, 1);
+					    ctxt->userData, &in->cur[0], 1);
 			    }
 			}
 			ctxt->token = 0;
commit	8fb4a770075628d6441fb17a1e435100e2f3b1a2	[log] [tgz]
author	Hugh Davenport <hugh@allthethings.co.nz>	Fri Nov 20 17:16:06 2015 +0800
committer	Daniel Veillard <veillard@redhat.com>	Fri Nov 20 17:16:06 2015 +0800
tree	b196187045e8ae080804e71ee65f6d9940491d95
parent	f1063fdbe7fa66332bbb76874101c2a7b51b519f [diff]