[CVE-2023-29469] Hashing of empty dict strings isn't deterministic

When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees. For consistency the seed is also taken into account, but this shouldn't have an impact on security. Found by OSS-Fuzz. Fixes #510.
2025-01-26 10:03:34 +03:00 · 2023-04-07 11:49:27 +02:00 · 2023-04-07 11:49:27 +02:00 · 547edbf1cb
commit 547edbf1cb
parent e4f85f1bd2
1 changed files with 2 additions and 1 deletions
--- a/dict.c
+++ b/dict.c
@ -433,7 +433,8 @@ static unsigned long
 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
    unsigned long value = seed;

-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
    value += *name;
    value <<= 5;
    if (namelen > 10) {