Blame SOURCES/libxml2-2.9.7-CVE-2020-24977.patch

5a940c
From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
5a940c
From: Nick Wellnhofer <wellnhofer@aevum.de>
5a940c
Date: Fri, 7 Aug 2020 21:54:27 +0200
5a940c
Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
5a940c
5a940c
Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
5a940c
array access.
5a940c
5a940c
Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
5a940c
the report.
5a940c
5a940c
Fixes #178.
5a940c
---
5a940c
 xmllint.c | 6 ++++++
5a940c
 1 file changed, 6 insertions(+)
5a940c
5a940c
diff --git a/xmllint.c b/xmllint.c
5a940c
index f6a8e4636..c647486f3 100644
5a940c
--- a/xmllint.c
5a940c
+++ b/xmllint.c
5a940c
@@ -528,6 +528,12 @@ static void
5a940c
 xmlHTMLEncodeSend(void) {
5a940c
     char *result;
5a940c
 
5a940c
+    /*
5a940c
+     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
5a940c
+     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
5a940c
+     * an out-of-bounds read.
5a940c
+     */
5a940c
+    memset(&buffer[sizeof(buffer)-4], 0, 4);
5a940c
     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
5a940c
     if (result) {
5a940c
 	xmlGenericError(xmlGenericErrorContext, "%s", result);
5a940c
-- 
5a940c
GitLab
5a940c