xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch

1c8959
From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001
1c8959
From: Pranjal Jumde <pjumde@apple.com>
1c8959
Date: Mon, 7 Mar 2016 06:34:26 -0800
1c8959
Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
1c8959
 <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
1c8959
To: libvir-list@redhat.com
1c8959
1c8959
* xmlregexp.c:
1c8959
(xmlFAParseCharRange): Only advance to the next character if
1c8959
there is no error.  Advancing to the next character in case of
1c8959
an error while parsing regexp leads to an out of bounds access.
1c8959
1c8959
Signed-off-by: Daniel Veillard <veillard@redhat.com>
1c8959
---
1c8959
 xmlregexp.c | 3 ++-
1c8959
 1 file changed, 2 insertions(+), 1 deletion(-)
1c8959
1c8959
diff --git a/xmlregexp.c b/xmlregexp.c
1c8959
index 1f9911c..eb67b74 100644
1c8959
--- a/xmlregexp.c
1c8959
+++ b/xmlregexp.c
1c8959
@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
1c8959
 	ERROR("Expecting the end of a char range");
1c8959
 	return;
1c8959
     }
1c8959
-    NEXTL(len);
1c8959
+
1c8959
     /* TODO check that the values are acceptable character ranges for XML */
1c8959
     if (end < start) {
1c8959
 	ERROR("End of range is before start of range");
1c8959
     } else {
1c8959
+        NEXTL(len);
1c8959
         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
1c8959
 		           XML_REGEXP_CHARVAL, start, end, NULL);
1c8959
     }
1c8959
-- 
1c8959
2.5.5
1c8959