fix overflow issue found with fuzz (#54)

* fix overflow issue found with fuzz * update dev dependencies
tafia · Mar 6, 2017 · 2745899 · 2745899
1 parent 0fd7fbb
commit 2745899
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,7 +22,7 @@ encoding_rs = "0.4.0"
 error-chain = "0.9.0"
 
 [dev-dependencies]
-xml-rs = "0.3.8"
+xml-rs = "0.4.1"
 
 [lib]
 bench = false
diff --git a/src/reader.rs b/src/reader.rs
@@ -365,7 +365,7 @@ impl<B: BufRead> Reader<B> {
         // TODO: do this directly when reading bufreader ...
         let len = buf.len();
         let name_end = buf.iter().position(|&b| is_whitespace(b)).unwrap_or(len);
-        if buf[len - 1] == b'/' {
+        if let Some(&b'/') = buf.last() {
             let end = if name_end < len { name_end } else { len - 1 };
             if self.expand_empty_elements {
                 self.tag_state = TagState::Empty;

diff --git a/tests/test.rs b/tests/test.rs
@@ -3,6 +3,7 @@ extern crate quick_xml;
 use quick_xml::reader::Reader;
 use quick_xml::events::Event::*;
 use quick_xml::events::attributes::Attribute;
+use std::io::Cursor;
 
 #[test]
 fn test_sample() {
@@ -298,3 +299,17 @@ fn test_koi8_r_encoding() {
         }
     }
 }
+
+#[test]
+fn fuzz_53() {
+    let data : &[u8] = b"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n(\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00<>\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00<<\x00\x00\x00";
+    let cursor = Cursor::new(data);
+    let mut reader = Reader::from_reader(cursor);
+    let mut buf = vec![];
+    loop {
+        match reader.read_event(&mut buf) {
+            Ok(quick_xml::events::Event::Eof) | Err(..) => break,
+            _ => buf.clear(),
+        }
+    }
+}