html5lib_shim: validate unicode points for convert_entity

fixes: * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29865 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29882
mozilla · Jan 26, 2021 · 6879f6a · 6879f6a
1 parent 90cb80b
commit 6879f6a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/bleach/html5lib_shim.py b/bleach/html5lib_shim.py
@@ -459,9 +459,22 @@ def convert_entity(value):
     if value[0] == "#":
         if len(value) < 2:
             return None
+
         if value[1] in ("x", "X"):
-            return six.unichr(int(value[2:], 16))
-        return six.unichr(int(value[1:], 10))
+            # hex-encoded code point
+            int_as_string, base = value[2:], 16
+        else:
+            # decimal code point
+            int_as_string, base = value[1:], 10
+
+        if int_as_string == "":
+            return None
+
+        code_point = int(int_as_string, base)
+        if 0 < code_point < 0x110000:
+            return six.unichr(code_point)
+        else:
+            return None
 
     return ENTITIES.get(value, None)
 

diff --git a/tests/test_html5lib_shim.py b/tests/test_html5lib_shim.py
@@ -19,6 +19,16 @@
         ("&xx;", "&xx;"),
         # Handles multiple entities in the same string
         ("this &amp; that &amp; that", "this & that & that"),
+        # Handles empty decimal and hex encoded code points
+        ("&#x;", "&#x;"),
+        ("&#;", "&#;"),
+        # Handles too high unicode points
+        ("&#x110000;", "&#x110000;"),
+        ("&#x110111;", "&#x110111;"),
+        ("&#9277809;", "&#9277809;"),
+        # Handles negative unicode points
+        ("&#-1;", "&#-1;"),
+        ("&#x-1;", "&#x-1;"),
     ],
 )
 def test_convert_entities(data, expected):