From 8733445256f4b47d53f2ff855f717314cf2448f9 Mon Sep 17 00:00:00 2001
From: Jonathan Hedley <jonathan@hedley.net>
Date: Sun, 19 Jun 2022 10:32:55 +1000
Subject: [PATCH] Fixed an OOB in TreeBuilder when getting the body Element

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48116
Caused by: e714ef12fab4fd00cf7133a22fba4a71ccf7af8e
---
 .../org/jsoup/parser/HtmlTreeBuilderState.java   |   5 +++--
 src/test/resources/fuzztests/48116.html.gz       | Bin 0 -> 9078 bytes
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 src/test/resources/fuzztests/48116.html.gz

diff --git a/src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java b/src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java
index e1f33a4303..354b2170aa 100644
--- a/src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java
+++ b/src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java
@@ -385,8 +385,9 @@ private boolean inBodyStartTag(Token t, HtmlTreeBuilder tb) {
                         return false; // ignore
                     } else {
                         tb.framesetOk(false);
-                        Element body = stack.get(1);
-                        if (startTag.hasAttributes()) {
+                        // will be on stack if this is a nested body. won't be if closed (which is a variance from spec, which leaves it on)
+                        Element body;
+                        if (startTag.hasAttributes() && (body = tb.getFromStack("body")) != null) { // we only ever put one body on stack
                             for (Attribute attribute : startTag.attributes) {
                                 if (!body.hasAttr(attribute.getKey()))
                                     body.attributes().put(attribute);
diff --git a/src/test/resources/fuzztests/48116.html.gz b/src/test/resources/fuzztests/48116.html.gz
new file mode 100644
index 0000000000000000000000000000000000000000..37367dc8cc2067689c67531dac9a14b35255065b
GIT binary patch
literal 9078
zcmeGhJ8T?9bkCx}IwPf`0qKI!A&jiWmX#vB8{;G>4VEGVReUHrw`1SH{<QlJ-BBc@
zi$qD}1_}xqR|p|KO+@(hL1|Gs3RfvmDg?)y+0X6X?p@+oCL!9{y_<P&=kwm%H}5kW
zfW<q}X@35=%UjP_@7Y)G-TMC5d%x}3)}py!j}}eopN5@q(-o0G(`4WDf4{K`%bq_7
z7?^!@9k3Q(Fku)2<^<dNuw^o^9=y71+sTy7XaJ)0Y&dzb+wC$&_1SZqZ*LN$+Ffwu
z*>hc%&JD;sI1voEBYV!xkAVC3h&c>}1su?Z&43L$1E9+fkp2e{{}e`D9fIkyI1j0o
zwuYMd@>~L-oyRtt{La^+h*1#HOl1m>!u<+x8zSL|9s*G!eGg2kcf(kk_ies>-yV|=
z8@d^VGC)6=v5XOyhGBe{G$C>=$6<zH`t&aRfcv2>LfxE2=8Hsq1qYYr@il`UT5$Fg
z+?^6=1-Si2m+n~lr<R({c3)Vw90gmsl5l!+k#7L7Pda^R+rne22Q~WWyzT`9d>%)E
zpl7*(TU%8_-E64GKo-WTd1+>lYQiO&5bby^g^B#=;)Y&%@?3Oig}AGTdWx$2vxLyY
zpfn4mMRFV$*i%5lVyQwXU5+qePqy1_P*wn>C27m<f{79x(F9!q?EQReJa$C_A|DB;
zM$Q;7k!Dk~mq<DiB2R0|#)L+q-LpP`c<q=W#(tcX$OPYWqg@f<AQYjO0Vz%2q7~xM
zC3U91R?CE-W!^E7jMvJ_im|d%Y6zQYbhs;UJU(xG*TLj;)7DeJkOkxM_+9BiKV-HT
zA_-Kufnzm{r=MklLkGzKuQ9(547j&$TL^yv4<Uf0BZ?)!5R{EA{)Q=teHgWrS%;qQ
zz!|ck%7Eu<Wmi);<@7(O&wRY_hoQ+yq{(*R0+3)$670e|!x+$_Rx*J8I+LD2izG(H
zudovdO7#3-^ix_0`DyYXZ%4A>^Er*pMY7k*W+1nhl_gN7WoBR6_S#}h`osq0K?Y{F
zCbvRrex^~nFCy>X{ozJ-`@W=h<EbkrdT}|}|I!<T&W<C4gZ<A$cU!~;)*Uz~14kU}
zlg6>y1($u`AzW}yw`vz$yWpHUOqwMJ4CEP8-&MQd)E}n;do(V1{Rwr!*J>B60`te(
z1(O%1TSbhos;JS`p(8>>shlG&*?td4Dr7{9VnDPwh1Kzhs&Thzu!<LhEPSLnhQC}3
zX{5si#h$=hZ?fyFDzas-R806cFjt@mxz$mDECtM5?D(M=1QeW#Z0dY4q!N&+s0jEd
zj+Al%R3UsS1~=KX#HIkY=6hcV{=WWGA-$&g6clOh`Ej5)9yg4u+Ioz~|D-6Ym6XB(
zAH|}L#X3hkCm&8cS*XwHxI@2@Sb#;cV{vx#sR3tn;!(}FM9VV_5`=nHF%Pqu*Bm=Z
zzL9%xMA)*{BuybgWAaLKG|$qj%k%V+*i5FV8cr!q2Pu!DjEHiZ&P$YOuIu1F$#&)g
zappxCf+Jh2jM9Y5I!(Ah2MnpFpv+A~e|~=T7(7LBml2nf9XUsJrgxS~`-(Fqs&Vvv
zzLwaB+W_1wYR?h(c}^+Hin;2079E4ALok!CtGBPM)Et>S^mfW?No%>&=AL-1%~>9u
z0GSq6ZM-d}w@gXto6Y(xuyj~gp9NO9uq@dxxUl*xus#bs&a=QLH4&-L0`<p)$2t+I
wKgX56=+$R|_2)RuB7v&!dMa`#mGm%cx~|Ux{|BGrY8U+IKF3XOn8U*V0^)t0Qvd(}

literal 0
HcmV?d00001