Add a check to prevent len from going negative in xmlParseAttValueComplex.

BUG=158249


Review URL: https://chromiumcodereview.appspot.com/11343029

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@164867 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 2 insertions, 1 deletions

diff --git a/third_party/libxml/README.chromium b/third_party/libxml/README.chromium
index ba588c4..02f29bf 100644
--- a/third_party/libxml/README.chromium
+++ b/third_party/libxml/README.chromium
@@ -32,6 +32,7 @@ Modifications:
 if treated as a generic xmlNode object.
 - Fix pretty harmless use-after-free in generate-id function.
 - Merge a clang warning fix http://git.gnome.org/browse/libxml2/commit/?id=713434d2309da469d64b35e163ea6556dadccada
+- Import attribute normalization fix http://git.gnome.org/browse/libxml2/commit/?id=6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d
 
 To import a new snapshot of libxml:
 
diff --git a/third_party/libxml/src/parser.c b/third_party/libxml/src/parser.c
index c181071..0b80355 100644
--- a/third_party/libxml/src/parser.c
+++ b/third_party/libxml/src/parser.c
@@ -3800,7 +3800,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
 	c = CUR_CHAR(l);
     }
     if ((in_space) && (normalize)) {
-        while (buf[len - 1] == 0x20) len--;
+        while ((len > 0) && (buf[len - 1] == 0x20)) len--;
     }
     buf[len] = 0;
     if (RAW == '<') {