shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-10-26 12:25:09 +03:00
Code Releases Activity

CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey

Browse Source 
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
This commit is contained in:
David Drysdale 2015-11-20 10:47:12 +08:00 committed by Daniel Veillard
parent 53ac9c9649
commit 6360a31a84
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
dict.c
View File

@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
value += 30 * (*prefix);
if (len > 10) {
value += name[len - (plen + 1 + 1)];
int offset = len - (plen + 1 + 1);
if (offset < 0)
offset = len - (10 + 1);
value += name[offset];
len = 10;
if (plen > 10)
plen = 10;