[libxml2] Fix OOB write in xmlXPathEmptyNodeSet

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix OOB write in xmlXPathEmptyNodeSet
Date: Wed, 27 Apr 2016 09:25:13 +0000 (UTC)

commit 91ac664f4b3d3ed55f5ff297f1ddbc7acb425006
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Tue Apr 26 14:47:56 2016 +0200

    Fix OOB write in xmlXPathEmptyNodeSet
    
    xmlXPathEmptyNodeSet would write a NULL pointer just beyond the end of
    the nodeTab array. This macro isn't used in libxml2, but in some of the
    math functions in libexslt where it can result in heap corruption and
    denial of service.
    
    Found by afl-fuzz and ASan.

 include/libxml/xpathInternals.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/include/libxml/xpathInternals.h b/include/libxml/xpathInternals.h
index 70c9db9..76a6b48 100644
--- a/include/libxml/xpathInternals.h
+++ b/include/libxml/xpathInternals.h
@@ -229,7 +229,7 @@ XMLPUBFUN void * XMLCALL
  * Empties a node-set.
  */
 #define xmlXPathEmptyNodeSet(ns)                                       \
-    { while ((ns)->nodeNr > 0) (ns)->nodeTab[(ns)->nodeNr--] = NULL; }
+    { while ((ns)->nodeNr > 0) (ns)->nodeTab[--(ns)->nodeNr] = NULL; }
 
 /**
  * CHECK_ERROR:

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]