Blame SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch

6dedca
From b1a4e51efbfb1ae3a37a14be73d438aaab6b5c9e Mon Sep 17 00:00:00 2001
6dedca
From: Pranjal Jumde <pjumde@apple.com>
6dedca
Date: Tue, 8 Mar 2016 17:29:00 -0800
6dedca
Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat
6dedca
 <https://bugzilla.gnome.org/show_bug.cgi?id=763071>
6dedca
To: libvir-list@redhat.com
6dedca
6dedca
* xmlstring.c:
6dedca
(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
6dedca
(xmlStrncatNew): Ditto.
6dedca
6dedca
Signed-off-by: Daniel Veillard <veillard@redhat.com>
6dedca
---
6dedca
 xmlstring.c | 9 ++++++++-
6dedca
 1 file changed, 8 insertions(+), 1 deletion(-)
6dedca
6dedca
diff --git a/xmlstring.c b/xmlstring.c
6dedca
index a37220d..d465c23 100644
6dedca
--- a/xmlstring.c
6dedca
+++ b/xmlstring.c
6dedca
@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
6dedca
         return(xmlStrndup(add, len));
6dedca
 
6dedca
     size = xmlStrlen(cur);
6dedca
+    if (size < 0)
6dedca
+        return(NULL);
6dedca
     ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
6dedca
     if (ret == NULL) {
6dedca
         xmlErrMemory(NULL, NULL);
6dedca
@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
6dedca
     int size;
6dedca
     xmlChar *ret;
6dedca
 
6dedca
-    if (len < 0)
6dedca
+    if (len < 0) {
6dedca
         len = xmlStrlen(str2);
6dedca
+        if (len < 0)
6dedca
+            return(NULL);
6dedca
+    }
6dedca
     if ((str2 == NULL) || (len == 0))
6dedca
         return(xmlStrdup(str1));
6dedca
     if (str1 == NULL)
6dedca
         return(xmlStrndup(str2, len));
6dedca
 
6dedca
     size = xmlStrlen(str1);
6dedca
+    if (size < 0)
6dedca
+        return(NULL);
6dedca
     ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
6dedca
     if (ret == NULL) {
6dedca
         xmlErrMemory(NULL, NULL);
6dedca
-- 
6dedca
2.5.5
6dedca