[libxml2] Heap-buffer-overflow read of size 1 in xmlFAParsePosCharGroup

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Heap-buffer-overflow read of size 1 in xmlFAParsePosCharGroup
Date: Tue, 4 Jul 2017 17:14:09 +0000 (UTC)

commit fb56f80eeffde4b79a49667c3f0727181d57aeb3
Author: David Kilzer <ddkilzer apple com>
Date:   Tue Jul 4 18:38:03 2017 +0200

    Heap-buffer-overflow read of size 1 in xmlFAParsePosCharGroup
    
    Credit to OSS-Fuzz.
    
    Add a check to xmlFAParseCharRange() for the end of the buffer
    to prevent reading past the end of it.
    
    This fixes Bug 784017.

 xmlregexp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/xmlregexp.c b/xmlregexp.c
index 019399f..b640264 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -5053,7 +5053,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
                return;
        }
         len = 1;
-    } else if ((cur != 0x5B) && (cur != 0x5D)) {
+    } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) {
         end = CUR_SCHAR(ctxt->cur, len);
     } else {
        ERROR("Expecting the end of a char range");

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]