CVE-2018-16428

If something which looks like a closing tag is left unfinished, but
isn’t paired to an opening tag in the document, the error handling code
would do a null pointer dereference. Avoid that, at the cost of
introducing a new translatable error message.

Includes a test case, courtesy of pdknsk.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://gitlab.gnome.org/GNOME/glib/issues/1461

[Model] All
[BinType] AP
[Customer] OPEN

[Issue#] N/A
[Request] N/A
[Occurrence Version] N/A

[Problem] Security patch
[Cause & Measure]
[Checking Method]

[Team] Open Source Management and Setting Part
[Developer] dh0128.kwak
[Solution company] Samsung
[Change Type] N/A

Change-Id: Icd7c1bf8da55b501d9471df5ad18e7c7b0892d6b
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>

diff --git a/glib/gmarkup.c b/glib/gmarkup.c
index 46923b8..170612a 100644 (file)
--- a/glib/gmarkup.c
+++ b/glib/gmarkup.c
@@ -1832,9 +1832,14 @@ g_markup_parse_context_end_parse (GMarkupParseContext  *context,
     case STATE_AFTER_CLOSE_TAG_SLASH:
     case STATE_INSIDE_CLOSE_TAG_NAME:
     case STATE_AFTER_CLOSE_TAG_NAME:
-      set_error (context, error, G_MARKUP_ERROR_PARSE,
-                 _("Document ended unexpectedly inside the close tag for "
-                   "element '%s'"), current_element (context));
+      if (context->tag_stack != NULL)
+        set_error (context, error, G_MARKUP_ERROR_PARSE,
+                   _("Document ended unexpectedly inside the close tag for "
+                     "element “%s”"), current_element (context));
+      else
+        set_error (context, error, G_MARKUP_ERROR_PARSE,
+                   _("Document ended unexpectedly inside the close tag for an "
+                     "unopened element"));
       break;
 
     case STATE_INSIDE_PASSTHROUGH: