diff options
author | David Drysdale <drysdale@google.com> | 2015-11-20 10:47:12 +0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2015-11-20 10:47:12 +0800 |
commit | 6360a31a84efe69d155ed96306b9a931a40beab9 (patch) | |
tree | 2f78a1031ab8e14f2e01c1f3a9affad77bd142f8 | |
parent | 53ac9c9649fa091377dfea9511f012171f08972d (diff) | |
download | android_external_libxml2-6360a31a84efe69d155ed96306b9a931a40beab9.tar.gz android_external_libxml2-6360a31a84efe69d155ed96306b9a931a40beab9.tar.bz2 android_external_libxml2-6360a31a84efe69d155ed96306b9a931a40beab9.zip |
CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
-rw-r--r-- | dict.c | 5 |
1 files changed, 4 insertions, 1 deletions
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, value += 30 * (*prefix); if (len > 10) { - value += name[len - (plen + 1 + 1)]; + int offset = len - (plen + 1 + 1); + if (offset < 0) + offset = len - (10 + 1); + value += name[offset]; len = 10; if (plen > 10) plen = 10; |