From fccef3cc822af74699cca84cd202719ae61ca3b9 Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Mon, 30 Jul 2018 18:33:39 +0100
Subject: [PATCH] gmarkup: Fix crash in error handling path for closing
 elements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If something which looks like a closing tag is left unfinished, but
isn’t paired to an opening tag in the document, the error handling code
would do a null pointer dereference. Avoid that, at the cost of
introducing a new translatable error message.

Includes a test case, courtesy of pdknsk.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

https://gitlab.gnome.org/GNOME/glib/issues/1461
---
 glib/gmarkup.c                      | 11 ++++++++---
 glib/tests/Makefile.am              |  1 +
 glib/tests/markups/fail-51.expected |  1 +
 glib/tests/markups/fail-51.gmarkup  |  1 +
 4 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 glib/tests/markups/fail-51.expected
 create mode 100644 glib/tests/markups/fail-51.gmarkup

diff --git a/glib/gmarkup.c b/glib/gmarkup.c
index eff959888..f1ab94e56 100644
--- a/glib/gmarkup.c
+++ b/glib/gmarkup.c
@@ -1844,9 +1844,14 @@ g_markup_parse_context_end_parse (GMarkupParseContext  *context,
     case STATE_AFTER_CLOSE_TAG_SLASH:
     case STATE_INSIDE_CLOSE_TAG_NAME:
     case STATE_AFTER_CLOSE_TAG_NAME:
-      set_error (context, error, G_MARKUP_ERROR_PARSE,
-                 _("Document ended unexpectedly inside the close tag for "
-                   "element “%s”"), current_element (context));
+      if (context->tag_stack != NULL)
+        set_error (context, error, G_MARKUP_ERROR_PARSE,
+                   _("Document ended unexpectedly inside the close tag for "
+                     "element “%s”"), current_element (context));
+      else
+        set_error (context, error, G_MARKUP_ERROR_PARSE,
+                   _("Document ended unexpectedly inside the close tag for an "
+                     "unopened element"));
       break;
 
     case STATE_INSIDE_PASSTHROUGH:
diff --git a/glib/tests/Makefile.am b/glib/tests/Makefile.am
index afd8fef6a..4c822bf66 100644
--- a/glib/tests/Makefile.am
+++ b/glib/tests/Makefile.am
@@ -159,6 +159,7 @@ markup_tests = \
 	fail-36 fail-37 fail-38 fail-39 fail-40 \
 	fail-41 fail-42 fail-43 fail-44 fail-45 \
 	fail-46 fail-47 fail-48 fail-49 fail-50 \
+	fail-51 \
 	valid-1 valid-2 valid-3 valid-4 valid-5 \
 	valid-6 valid-7 valid-8 valid-9 valid-10 \
 	valid-11 valid-12 valid-13 valid-14 valid-15 \
diff --git a/glib/tests/markups/fail-51.expected b/glib/tests/markups/fail-51.expected
new file mode 100644
index 000000000..1c7e8d47a
--- /dev/null
+++ b/glib/tests/markups/fail-51.expected
@@ -0,0 +1 @@
+ERROR Error on line 1 char 5: Document ended unexpectedly inside the close tag for an unopened element
diff --git a/glib/tests/markups/fail-51.gmarkup b/glib/tests/markups/fail-51.gmarkup
new file mode 100644
index 000000000..860e1e6b5
--- /dev/null
+++ b/glib/tests/markups/fail-51.gmarkup
@@ -0,0 +1 @@
+</0<
\ No newline at end of file