Skip to content

Commit

Permalink
Fix an IOOB when HTML root cleared and then attributes added
Browse files Browse the repository at this point in the history
Fixes #1611
  • Loading branch information
jhy committed Aug 14, 2021
1 parent 9d538e6 commit eba3e39
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 6 deletions.
3 changes: 3 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ jsoup changelog
* Bugfix [Fuzz]: Fix a potential stack-overflow in the parser given crafted HTML, when the parser looped in the
InSelectInTable state.

* Bugfix [Fuzz]: Fix an IOOB when the HTML root was cleared from the stack and then attributes were merged onto it.
<https://github.com/jhy/jsoup/issues/1611>

*** Release 1.14.1 [2021-Jul-10]
* Change: updated the minimum supported Java version from Java 7 to Java 8.

Expand Down
15 changes: 9 additions & 6 deletions src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java
Original file line number Diff line number Diff line change
Expand Up @@ -340,12 +340,15 @@ private boolean inBodyStartTag(Token t, HtmlTreeBuilder tb) {
break;
case "html":
tb.error(this);
// merge attributes onto real html
Element html = tb.getStack().get(0);
if (startTag.hasAttributes()) {
for (Attribute attribute : startTag.attributes) {
if (!html.hasAttr(attribute.getKey()))
html.attributes().put(attribute);
// merge attributes onto real html (if present)
stack = tb.getStack();
if (stack.size() > 0) {
Element html = tb.getStack().get(0);
if (startTag.hasAttributes()) {
for (Attribute attribute : startTag.attributes) {
if (!html.hasAttr(attribute.getKey()))
html.attributes().put(attribute);
}
}
}
break;
Expand Down
12 changes: 12 additions & 0 deletions src/test/java/org/jsoup/integration/FuzzFixesTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -193,4 +193,16 @@ public void overflow1607() throws IOException {
Document docXml = Jsoup.parse(new FileInputStream(in), "UTF-8", "https://example.com", Parser.xmlParser());
assertNotNull(docXml);
}

@Test
public void oob() throws IOException {
// https://github.com/jhy/jsoup/issues/1611
File in = ParseTest.getFile("/fuzztests/1611.html.gz");

Document doc = Jsoup.parse(in, "UTF-8");
assertNotNull(doc);

Document docXml = Jsoup.parse(new FileInputStream(in), "UTF-8", "https://example.com", Parser.xmlParser());
assertNotNull(docXml);
}
}
Binary file added src/test/resources/fuzztests/1611.html.gz
Binary file not shown.

0 comments on commit eba3e39

Please sign in to comment.