By adding checks for sequence/alternate types in element_end to avoid a type confusion. This issue was found by OSS-Fuzz. This can be triggered by using an input of `<sequence><foo/><text/></sequence>` against the harness in https://github.com/google/oss-fuzz/blob/master/projects/bluez/fuzz_xml.c https://issues.oss-fuzz.com/issues/42516062 https://oss-fuzz.com/testcase-detail/5896441415729152 --- src/sdp-xml.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/sdp-xml.c b/src/sdp-xml.c index 5efa62ab8..81bd11140 100644 --- a/src/sdp-xml.c +++ b/src/sdp-xml.c @@ -545,6 +545,13 @@ static void element_end(GMarkupParseContext *context, } if (!strcmp(element_name, "sequence")) { + if (!SDP_IS_SEQ(ctx_data->stack_head->data->dtd)) { + g_set_error(err, G_MARKUP_ERROR, G_MARKUP_ERROR_INVALID_CONTENT, + "Unexpected data type %d for sequence", + ctx_data->stack_head->data->dtd); + return; + } + ctx_data->stack_head->data->unitSize = compute_seq_size(ctx_data->stack_head->data); if (ctx_data->stack_head->data->unitSize > USHRT_MAX) { @@ -557,6 +564,13 @@ static void element_end(GMarkupParseContext *context, ctx_data->stack_head->data->unitSize += sizeof(uint8_t); } } else if (!strcmp(element_name, "alternate")) { + if (!SDP_IS_ALT(ctx_data->stack_head->data->dtd)) { + g_set_error(err, G_MARKUP_ERROR, G_MARKUP_ERROR_INVALID_CONTENT, + "Unexpected data type %d for alternate", + ctx_data->stack_head->data->dtd); + return; + } + ctx_data->stack_head->data->unitSize = compute_seq_size(ctx_data->stack_head->data); if (ctx_data->stack_head->data->unitSize > USHRT_MAX) { -- 2.50.1.703.g449372360f-goog
