From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001 From: Pranjal Jumde Date: Mon, 7 Mar 2016 06:34:26 -0800 Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup To: libvir-list@redhat.com * xmlregexp.c: (xmlFAParseCharRange): Only advance to the next character if there is no error. Advancing to the next character in case of an error while parsing regexp leads to an out of bounds access. Signed-off-by: Daniel Veillard --- xmlregexp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xmlregexp.c b/xmlregexp.c index 1f9911c..eb67b74 100644 --- a/xmlregexp.c +++ b/xmlregexp.c @@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { ERROR("Expecting the end of a char range"); return; } - NEXTL(len); + /* TODO check that the values are acceptable character ranges for XML */ if (end < start) { ERROR("End of range is before start of range"); } else { + NEXTL(len); xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, XML_REGEXP_CHARVAL, start, end, NULL); } -- 2.5.5