diff -Nurd -x'*~' libcroco-0.6.12.orig/src/cr-input.c libcroco-0.6.12/src/cr-input.c --- libcroco-0.6.12.orig/src/cr-input.c 2017-04-06 09:30:12.000000000 -0400 +++ libcroco-0.6.12/src/cr-input.c 2018-06-10 00:08:58.000000000 -0400 @@ -256,7 +256,7 @@ *we should free buf here because it's own by CRInput. *(see the last parameter of cr_input_new_from_buf(). */ - buf = NULL ; + buf = NULL; } cleanup: @@ -404,6 +404,8 @@ enum CRStatus cr_input_read_byte (CRInput * a_this, guchar * a_byte) { + gulong nb_bytes_left = 0; + g_return_val_if_fail (a_this && PRIVATE (a_this) && a_byte, CR_BAD_PARAM_ERROR); @@ -413,6 +415,12 @@ if (PRIVATE (a_this)->end_of_input == TRUE) return CR_END_OF_INPUT_ERROR; + nb_bytes_left = cr_input_get_nb_bytes_left (a_this); + + if (nb_bytes_left < 1) { + return CR_END_OF_INPUT_ERROR; + } + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; if (PRIVATE (a_this)->nb_bytes - @@ -477,7 +485,6 @@ if (*a_char == '\n') { PRIVATE (a_this)->end_of_line = TRUE; } - } return status; diff -Nurd -x'*~' libcroco-0.6.12.orig/src/cr-tknzr.c libcroco-0.6.12/src/cr-tknzr.c --- libcroco-0.6.12.orig/src/cr-tknzr.c 2017-04-06 09:30:12.000000000 -0400 +++ libcroco-0.6.12/src/cr-tknzr.c 2018-06-10 00:09:02.000000000 -0400 @@ -299,7 +299,6 @@ status = cr_tknzr_peek_char (a_this, &cur_char); if (status == CR_END_OF_INPUT_ERROR) { - status = CR_OK; break; } else if (status != CR_OK) { goto error; @@ -1280,6 +1279,11 @@ status = cr_tknzr_parse_num (a_this, &num); ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + if (num->val > G_MAXLONG) { + status = CR_PARSING_ERROR; + goto error; + } + red = num->val; cr_num_destroy (num); num = NULL; @@ -1299,6 +1303,11 @@ status = cr_tknzr_parse_num (a_this, &num); ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + if (num->val > G_MAXLONG) { + status = CR_PARSING_ERROR; + goto error; + } + PEEK_BYTE (a_this, 1, &next_bytes[0]); if (next_bytes[0] == '%') { SKIP_CHARS (a_this, 1);