[libxml2] Fix OOB read with invalid UTF-8 in xmlUTF8Strsize

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix OOB read with invalid UTF-8 in xmlUTF8Strsize
Date: Sat, 23 Apr 2016 17:17:25 +0000 (UTC)

commit 96a5c17ee154add361abbae27b29c86e398fc1b9
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Apr 21 19:03:47 2016 +0200

    Fix OOB read with invalid UTF-8 in xmlUTF8Strsize
    
    With certain invalid UTF-8, xmlUTF8Strsize can read up to 6 bytes
    beyond the end of the string and return the wrong size.
    
    This means that in xmlUTF8Strndup and similar code, some content behind
    the string is copied. But since the terminating \0 is copied as well,
    this probably can't be exploited to leak sensitive information.
    
    Found by afl-fuzz and ASan.

 xmlstring.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/xmlstring.c b/xmlstring.c
index a37220d..b89c9e9 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -837,8 +837,8 @@ xmlUTF8Strsize(const xmlChar *utf, int len) {
             break;
         if ( (ch = *ptr++) & 0x80)
             while ((ch<<=1) & 0x80 ) {
-                ptr++;
                if (*ptr == 0) break;
+                ptr++;
            }
     }
     return (ptr - utf);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]