Blame SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
|
|
1c8959 |
From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001
|
|
|
1c8959 |
From: Pranjal Jumde <pjumde@apple.com>
|
|
|
1c8959 |
Date: Mon, 7 Mar 2016 06:34:26 -0800
|
|
|
1c8959 |
Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
|
|
|
1c8959 |
<https://bugzilla.gnome.org/show_bug.cgi?id=757711>
|
|
|
1c8959 |
To: libvir-list@redhat.com
|
|
|
1c8959 |
|
|
|
1c8959 |
* xmlregexp.c:
|
|
|
1c8959 |
(xmlFAParseCharRange): Only advance to the next character if
|
|
|
1c8959 |
there is no error. Advancing to the next character in case of
|
|
|
1c8959 |
an error while parsing regexp leads to an out of bounds access.
|
|
|
1c8959 |
|
|
|
1c8959 |
Signed-off-by: Daniel Veillard <veillard@redhat.com>
|
|
|
1c8959 |
---
|
|
|
1c8959 |
xmlregexp.c | 3 ++-
|
|
|
1c8959 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
1c8959 |
|
|
|
1c8959 |
diff --git a/xmlregexp.c b/xmlregexp.c
|
|
|
1c8959 |
index 1f9911c..eb67b74 100644
|
|
|
1c8959 |
--- a/xmlregexp.c
|
|
|
1c8959 |
+++ b/xmlregexp.c
|
|
|
1c8959 |
@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
|
|
|
1c8959 |
ERROR("Expecting the end of a char range");
|
|
|
1c8959 |
return;
|
|
|
1c8959 |
}
|
|
|
1c8959 |
- NEXTL(len);
|
|
|
1c8959 |
+
|
|
|
1c8959 |
/* TODO check that the values are acceptable character ranges for XML */
|
|
|
1c8959 |
if (end < start) {
|
|
|
1c8959 |
ERROR("End of range is before start of range");
|
|
|
1c8959 |
} else {
|
|
|
1c8959 |
+ NEXTL(len);
|
|
|
1c8959 |
xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
|
|
|
1c8959 |
XML_REGEXP_CHARVAL, start, end, NULL);
|
|
|
1c8959 |
}
|
|
|
1c8959 |
--
|
|
|
1c8959 |
2.5.5
|
|
|
1c8959 |
|