You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36 lines
1.0 KiB
36 lines
1.0 KiB
From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001 |
|
From: David Drysdale <drysdale@google.com> |
|
Date: Fri, 20 Nov 2015 10:47:12 +0800 |
|
Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in |
|
xmlDictComputeFastQKey |
|
To: libvir-list@redhat.com |
|
|
|
For https://bugzilla.gnome.org/show_bug.cgi?id=756528 |
|
It was possible to hit a negative offset in the name indexing |
|
used to randomize the dictionary key generation |
|
Reported and fix provided by David Drysdale @ Google |
|
|
|
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
|
--- |
|
dict.c | 5 ++++- |
|
1 file changed, 4 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/dict.c b/dict.c |
|
index 5f71d55..8c8f931 100644 |
|
--- a/dict.c |
|
+++ b/dict.c |
|
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, |
|
value += 30 * (*prefix); |
|
|
|
if (len > 10) { |
|
- value += name[len - (plen + 1 + 1)]; |
|
+ int offset = len - (plen + 1 + 1); |
|
+ if (offset < 0) |
|
+ offset = len - (10 + 1); |
|
+ value += name[offset]; |
|
len = 10; |
|
if (plen > 10) |
|
plen = 10; |
|
-- |
|
2.5.0 |
|
|
|
|