39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001
|
|
From: Pranjal Jumde <pjumde@apple.com>
|
|
Date: Mon, 7 Mar 2016 06:34:26 -0800
|
|
Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
|
|
<https://bugzilla.gnome.org/show_bug.cgi?id=757711>
|
|
To: libvir-list@redhat.com
|
|
|
|
* xmlregexp.c:
|
|
(xmlFAParseCharRange): Only advance to the next character if
|
|
there is no error. Advancing to the next character in case of
|
|
an error while parsing regexp leads to an out of bounds access.
|
|
|
|
Signed-off-by: Daniel Veillard <veillard@redhat.com>
|
|
---
|
|
xmlregexp.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/xmlregexp.c b/xmlregexp.c
|
|
index 1f9911c..eb67b74 100644
|
|
--- a/xmlregexp.c
|
|
+++ b/xmlregexp.c
|
|
@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
|
|
ERROR("Expecting the end of a char range");
|
|
return;
|
|
}
|
|
- NEXTL(len);
|
|
+
|
|
/* TODO check that the values are acceptable character ranges for XML */
|
|
if (end < start) {
|
|
ERROR("End of range is before start of range");
|
|
} else {
|
|
+ NEXTL(len);
|
|
xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
|
|
XML_REGEXP_CHARVAL, start, end, NULL);
|
|
}
|
|
--
|
|
2.5.5
|
|
|