1From 15b0ed0815d48ac48c7b95a28b8332a298ed7072 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Thu, 16 Feb 2023 15:09:02 +0100 4Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseDocTypeDecl 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/15b0ed0815d48ac48c7b95a28b8332a298ed7072 9Conflict:NA 10--- 11 HTMLparser.c | 3 ++- 12 1 file changed, 2 insertions(+), 1 deletion(-) 13 14diff --git a/HTMLparser.c b/HTMLparser.c 15index e02a142..457b2a3 100644 16--- a/HTMLparser.c 17+++ b/HTMLparser.c 18@@ -3695,7 +3695,8 @@ htmlParseDocTypeDecl(htmlParserCtxtPtr ctxt) { 19 htmlParseErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, 20 "DOCTYPE improperly terminated\n", NULL, NULL); 21 /* Ignore bogus content */ 22- while ((CUR != 0) && (CUR != '>')) 23+ while ((CUR != 0) && (CUR != '>') && 24+ (ctxt->instate != XML_PARSER_EOF)) 25 NEXT; 26 } 27 if (CUR == '>') 28-- 292.27.0 30 31 32