Overflow in lexer when parsing malformed doctype

[5225225]

Found through fuzzing and minimized the test case manually.

Sample program (Tested against 0.8.3 on crates.io as well as the latest version from git (df46cd4))

fn main() {
    let x = "<!DOCTYPE<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<";

    let c = std::io::Cursor::new(x);

    for _ in xml::reader::EventReader::new(c) {}
}

Stack trace:

thread 'main' panicked at 'attempt to add with overflow', /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
stack backtrace:
   0: rust_begin_unwind
             at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/std/src/panicking.rs:493:5
   1: core::panicking::panic_fmt
             at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:92:14
   2: core::panicking::panic
             at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:50:5
   3: xml::reader::lexer::Lexer::doctype_finishing
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
   4: xml::reader::lexer::Lexer::dispatch_char
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:372:54
   5: xml::reader::lexer::Lexer::read_next_token
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:353:19
   6: xml::reader::lexer::Lexer::next_token
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:311:24
   7: xml::reader::parser::PullParser::next
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/parser/mod.rs:262:19
   8: xml::reader::EventReader<R>::next
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:52:9
   9: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:113:22
  10: scratchi0Wd3V0pt::main
             at ./main.rs:10:14
  11: core::ops::function::FnOnce::call_once
             at /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Had a brief look at the code, and it looks like we could return an error if we have too many open brackets in a row? Seems very unlikely that a valid XML document would do that.

[kornelski]

Fixed