blob: 955c961957010a2339511bd817b9c83f469b4131 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Fri, 20 Nov 2015 10:47:12 +0800
Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
xmlDictComputeFastQKey
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
Upstream-Status: Backport
CVE-2015-7497
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
dict.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dict.c b/dict.c
index 5f71d55..8c8f931 100644
--- a/dict.c
+++ b/dict.c
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
value += 30 * (*prefix);
if (len > 10) {
- value += name[len - (plen + 1 + 1)];
+ int offset = len - (plen + 1 + 1);
+ if (offset < 0)
+ offset = len - (10 + 1);
+ value += name[offset];
len = 10;
if (plen > 10)
plen = 10;
--
2.3.5
|
