From e3e58c4bbcbe6b6aedba1bcc2ea30b98061a3d3a Mon Sep 17 00:00:00 2001 From: DongHun Kwak Date: Tue, 30 Oct 2018 16:32:47 +0900 Subject: [PATCH] CVE-2018-16428 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If something which looks like a closing tag is left unfinished, but isn’t paired to an opening tag in the document, the error handling code would do a null pointer dereference. Avoid that, at the cost of introducing a new translatable error message. Includes a test case, courtesy of pdknsk. Signed-off-by: Philip Withnall https://gitlab.gnome.org/GNOME/glib/issues/1461 [Model] All [BinType] AP [Customer] OPEN [Issue#] N/A [Request] N/A [Occurrence Version] N/A [Problem] Security patch [Cause & Measure] [Checking Method] [Team] Open Source Management and Setting Part [Developer] dh0128.kwak [Solution company] Samsung [Change Type] N/A Change-Id: Icd7c1bf8da55b501d9471df5ad18e7c7b0892d6b Signed-off-by: DongHun Kwak --- glib/gmarkup.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/glib/gmarkup.c b/glib/gmarkup.c index 46923b8..170612a 100644 --- a/glib/gmarkup.c +++ b/glib/gmarkup.c @@ -1832,9 +1832,14 @@ g_markup_parse_context_end_parse (GMarkupParseContext *context, case STATE_AFTER_CLOSE_TAG_SLASH: case STATE_INSIDE_CLOSE_TAG_NAME: case STATE_AFTER_CLOSE_TAG_NAME: - set_error (context, error, G_MARKUP_ERROR_PARSE, - _("Document ended unexpectedly inside the close tag for " - "element '%s'"), current_element (context)); + if (context->tag_stack != NULL) + set_error (context, error, G_MARKUP_ERROR_PARSE, + _("Document ended unexpectedly inside the close tag for " + "element “%s”"), current_element (context)); + else + set_error (context, error, G_MARKUP_ERROR_PARSE, + _("Document ended unexpectedly inside the close tag for an " + "unopened element")); break; case STATE_INSIDE_PASSTHROUGH: -- 2.7.4