diff options
Diffstat (limited to 'dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch')
-rw-r--r-- | dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch new file mode 100644 index 000000000000..770a1832b190 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch @@ -0,0 +1,32 @@ +From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001 +From: David Kilzer <ddkilzer@apple.com> +Date: Tue, 4 Jul 2017 18:38:03 +0200 +Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in + xmlFAParsePosCharGroup + +Credit to OSS-Fuzz. + +Add a check to xmlFAParseCharRange() for the end of the buffer +to prevent reading past the end of it. + +This fixes Bug 784017. +--- + xmlregexp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index ca3b4f46..6676c2a8 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { + return; + } + len = 1; +- } else if ((cur != 0x5B) && (cur != 0x5D)) { ++ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) { + end = CUR_SCHAR(ctxt->cur, len); + } else { + ERROR("Expecting the end of a char range"); +-- +2.14.1 + |