rpms / libxml2

Clone
Source Code
GIT

Blame SOURCES/libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   6dedcab9a440c414eda8569ea4df2f0fe0adb565
  2.   SOURCES
  3.   libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
Blob History Raw
6dedca 
From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001
6dedca 
From: David Drysdale <drysdale@google.com>
6dedca 
Date: Fri, 20 Nov 2015 10:47:12 +0800
6dedca 
Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
6dedca 
 xmlDictComputeFastQKey
6dedca 
To: libvir-list@redhat.com
6dedca
6dedca 
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
6dedca 
It was possible to hit a negative offset in the name indexing
6dedca 
used to randomize the dictionary key generation
6dedca 
Reported and fix provided by David Drysdale @ Google
6dedca
6dedca 
Signed-off-by: Daniel Veillard <veillard@redhat.com>
6dedca 
---
6dedca 
 dict.c | 5 ++++-
6dedca 
 1 file changed, 4 insertions(+), 1 deletion(-)
6dedca
6dedca 
diff --git a/dict.c b/dict.c
6dedca 
index 5f71d55..8c8f931 100644
6dedca 
--- a/dict.c
6dedca 
+++ b/dict.c
6dedca 
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
6dedca 
 	value += 30 * (*prefix);
6dedca
6dedca 
     if (len > 10) {
6dedca 
-        value += name[len - (plen + 1 + 1)];
6dedca 
+        int offset = len - (plen + 1 + 1);
6dedca 
+	if (offset < 0)
6dedca 
+	    offset = len - (10 + 1);
6dedca 
+	value += name[offset];
6dedca 
         len = 10;
6dedca 
 	if (plen > 10)
6dedca 
 	    plen = 10;
6dedca 
--
6dedca 
2.5.0
6dedca

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation