Fix out-of-bounds reads for named entities

rubys · Sep 21, 2018 · 8d393e0 · 8d393e0
1 parent 4cd483c
commit 8d393e0
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 14 deletions.
diff --git a/gumbo-parser/src/char_ref.c b/gumbo-parser/src/char_ref.c
@@ -13179,27 +13179,30 @@ size_t match_named_char_ref (
   int cs;
   int act;
   const char *p = str;
-  const char *const eof = 0;
+  const char *pe = str + size;
+  const char *const eof = pe;
   const char *ts;
   const char *te;
   output[0] = output[1] = kGumboNoChar;
 
-#line 13188 "src/char_ref.c"
+#line 13189 "src/char_ref.c"
 	{
 	cs = start;
 	ts = 0;
 	te = 0;
 	act = 0;
 	}
 
-#line 2148 "src/char_ref.rl"
+#line 2149 "src/char_ref.rl"
 
-#line 13198 "src/char_ref.c"
+#line 13199 "src/char_ref.c"
 	{
 	int _slen;
 	int _trans;
 	const char *_keys;
 	const short *_inds;
+	if ( p == pe )
+		goto _test_eof;
 	if ( cs == 0 )
 		goto _out;
 _resume:
@@ -13208,7 +13211,7 @@ size_t match_named_char_ref (
 #line 1 "NONE"
 	{ts = p;}
 	break;
-#line 13212 "src/char_ref.c"
+#line 13215 "src/char_ref.c"
 	}
 
 	_keys = _trans_keys + (cs<<1);
@@ -22186,7 +22189,7 @@ size_t match_named_char_ref (
 #line 1948 "src/char_ref.rl"
 	{{p = ((te))-1;}{output[0]=0xd7; {p++; goto _out; }}}
 	break;
-#line 22190 "src/char_ref.c"
+#line 22193 "src/char_ref.c"
 	}
 
 _again:
@@ -22195,13 +22198,14 @@ size_t match_named_char_ref (
 #line 1 "NONE"
 	{ts = 0;}
 	break;
-#line 22199 "src/char_ref.c"
+#line 22202 "src/char_ref.c"
 	}
 
 	if ( cs == 0 )
 		goto _out;
-	p += 1;
-	goto _resume;
+	if ( ++p != pe )
+		goto _resume;
+	_test_eof: {}
 	if ( p == eof )
 	{
 	if ( _eof_trans[cs] > 0 ) {
@@ -22213,7 +22217,7 @@ size_t match_named_char_ref (
 	_out: {}
 	}
 
-#line 2149 "src/char_ref.rl"
+#line 2150 "src/char_ref.rl"
   size = p - str;
   return cs >= 7623? size:0;
 }
diff --git a/gumbo-parser/src/char_ref.rl b/gumbo-parser/src/char_ref.rl
@@ -2140,12 +2140,13 @@ size_t match_named_char_ref (
   int cs;
   int act;
   const char *p = str;
-  const char *const eof = 0;
+  const char *pe = str + size;
+  const char *const eof = pe;
   const char *ts;
   const char *te;
   output[0] = output[1] = kGumboNoChar;
   %% write init;
-  %% write exec noend;
+  %% write exec;
   size = p - str;
   return cs >= %%{ write first_final; }%%? size:0;
 }
diff --git a/gumbo-parser/test/tokenizer.cc b/gumbo-parser/test/tokenizer.cc
@@ -915,6 +915,14 @@ TEST_F(GumboTokenizerTest, EscapedScriptStates2) {
   NextEndTag(GUMBO_TAG_SCRIPT);
 }
 
+TEST_F(GumboTokenizerTest, ReadOutOfBounds) {
+  SetInput("&notindot;", 6);
+  NextChar(0x00AC, true);
+  NextChar('i');
+  NextChar('n');
+  AtEnd();
+}
+
 TEST_F(GumboTokenizerTest, ControlCharRefs) {
   SetInput("&#x80;&#x82;&#x83;&#x84;&#x85;&#x86;&#x87;&#x88;&#x89;"
            "&#x8A;&#x8B;&#x8C;&#x8E;&#x91;&#x92;&#x93;&#x94;&#x95;"

diff --git a/scripts/entities.rb b/scripts/entities.rb
@@ -14,6 +14,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# The output of this script should be compiled with ragel 6.10 which is the
+# current stable version. Version 7 changes some stuff but what, precisely,
+# isn't documented yet.
+
 require 'psych'
 require 'open-uri'
 
@@ -77,12 +81,13 @@
   int cs;
   int act;
   const char *p = str;
-  const char *const eof = 0;
+  const char *pe = str + size;
+  const char *const eof = pe;
   const char *ts;
   const char *te;
   output[0] = output[1] = kGumboNoChar;
   %% write init;
-  %% write exec noend;
+  %% write exec;
   size = p - str;
   return cs >= %%{ write first_final; }%%? size:0;
 }