From: DongHun Kwak Date: Tue, 30 Oct 2018 07:32:47 +0000 (+0900) Subject: CVE-2018-16428 X-Git-Tag: accepted/tizen/unified/20181108.172410~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F11%2F192111%2F1;p=platform%2Fupstream%2Fglib.git CVE-2018-16428 If something which looks like a closing tag is left unfinished, but isn’t paired to an opening tag in the document, the error handling code would do a null pointer dereference. Avoid that, at the cost of introducing a new translatable error message. Includes a test case, courtesy of pdknsk. Signed-off-by: Philip Withnall https://gitlab.gnome.org/GNOME/glib/issues/1461 [Model] All [BinType] AP [Customer] OPEN [Issue#] N/A [Request] N/A [Occurrence Version] N/A [Problem] Security patch [Cause & Measure] [Checking Method] [Team] Open Source Management and Setting Part [Developer] dh0128.kwak [Solution company] Samsung [Change Type] N/A Change-Id: Icd7c1bf8da55b501d9471df5ad18e7c7b0892d6b Signed-off-by: DongHun Kwak --- diff --git a/glib/gmarkup.c b/glib/gmarkup.c index 46923b8..170612a 100644 --- a/glib/gmarkup.c +++ b/glib/gmarkup.c @@ -1832,9 +1832,14 @@ g_markup_parse_context_end_parse (GMarkupParseContext *context, case STATE_AFTER_CLOSE_TAG_SLASH: case STATE_INSIDE_CLOSE_TAG_NAME: case STATE_AFTER_CLOSE_TAG_NAME: - set_error (context, error, G_MARKUP_ERROR_PARSE, - _("Document ended unexpectedly inside the close tag for " - "element '%s'"), current_element (context)); + if (context->tag_stack != NULL) + set_error (context, error, G_MARKUP_ERROR_PARSE, + _("Document ended unexpectedly inside the close tag for " + "element “%s”"), current_element (context)); + else + set_error (context, error, G_MARKUP_ERROR_PARSE, + _("Document ended unexpectedly inside the close tag for an " + "unopened element")); break; case STATE_INSIDE_PASSTHROUGH: