Fails on empty doctype

The parser was crashing with debug assertions enabled but passing with debug assertions disabled Closes tafia#608
Tpt · Jun 11, 2023 · 2a37fa2 · 2a37fa2
1 parent 84b07b4
commit 2a37fa2
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/Changelog.md b/Changelog.md
@@ -17,6 +17,9 @@
 
 ### Bug Fixes
 
+- [#612]: Return an error on empty doctype.
+  Before, the parser was crashing with debug assertions enabled but passing with debug assertions disabled.
+
 ### Misc Changes
 
 [#601]: https://github.com/tafia/quick-xml/pull/601

diff --git a/src/errors.rs b/src/errors.rs
@@ -37,6 +37,8 @@ pub enum Error {
     /// `Event::BytesDecl` must start with *version* attribute. Contains the attribute
     /// that was found or `None` if an xml declaration doesn't contain attributes.
     XmlDeclWithoutVersion(Option<String>),
+    /// Empty `Event::DocType`. `<!doctype foo>` is correct but `<!doctype > is not.
+    EmptyDocType,
     /// Attribute parsing error
     InvalidAttr(AttrError),
     /// Escape error
@@ -109,6 +111,7 @@ impl fmt::Display for Error {
                 "XmlDecl must start with 'version' attribute, found {:?}",
                 e
             ),
+            Error::EmptyDocType => write!(f, "DOCTYPE declaration must not be empty"),
             Error::InvalidAttr(e) => write!(f, "error while parsing attribute: {}", e),
             Error::EscapeError(e) => write!(f, "{}", e),
             Error::UnknownPrefix(prefix) => {

diff --git a/src/reader/parser.rs b/src/reader/parser.rs
@@ -117,7 +117,9 @@ impl Parser {
                     .iter()
                     .position(|b| !is_whitespace(*b))
                     .unwrap_or(len - 8);
-                debug_assert!(start < len - 8, "DocType must have a name");
+                if start + 8 >= len {
+                    return Err(Error::EmptyDocType);
+                }
                 Ok(Event::DocType(BytesText::wrap(
                     &buf[8 + start..],
                     self.decoder(),

diff --git a/tests/fuzzing.rs b/tests/fuzzing.rs
@@ -2,6 +2,7 @@
 
 use quick_xml::events::Event;
 use quick_xml::reader::Reader;
+use quick_xml::Error;
 use std::io::Cursor;
 
 #[test]
@@ -50,3 +51,15 @@ fn fuzz_101() {
         buf.clear();
     }
 }
+
+#[test]
+fn fuzz_empty_doctype() {
+    let data = b"<!doctype  \n    >";
+    let mut reader = Reader::from_reader(data.as_slice());
+    let mut buf = Vec::new();
+    assert!(matches!(
+        reader.read_event_into(&mut buf).unwrap_err(),
+        Error::EmptyDocType
+    ));
+    assert_eq!(reader.read_event_into(&mut buf).unwrap(), Event::Eof);
+}