[libxml2] CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey

From: Daniel Veillard <veillard src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
Date: Fri, 20 Nov 2015 09:57:03 +0000 (UTC)

commit 6360a31a84efe69d155ed96306b9a931a40beab9
Author: David Drysdale <drysdale google com>
Date:   Fri Nov 20 10:47:12 2015 +0800

    CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
    
    For https://bugzilla.gnome.org/show_bug.cgi?id=756528
    It was possible to hit a negative offset in the name indexing
    used to randomize the dictionary key generation
    Reported and fix provided by David Drysdale @ Google

 dict.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/dict.c b/dict.c
index 5f71d55..8c8f931 100644
--- a/dict.c
+++ b/dict.c
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
        value += 30 * (*prefix);
 
     if (len > 10) {
-        value += name[len - (plen + 1 + 1)];
+        int offset = len - (plen + 1 + 1);
+       if (offset < 0)
+           offset = len - (10 + 1);
+       value += name[offset];
         len = 10;
        if (plen > 10)
            plen = 10;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]