| From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001 |
| From: David Drysdale <drysdale@google.com> |
| Date: Fri, 20 Nov 2015 10:47:12 +0800 |
| Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in |
| xmlDictComputeFastQKey |
| |
| For https://bugzilla.gnome.org/show_bug.cgi?id=756528 |
| It was possible to hit a negative offset in the name indexing |
| used to randomize the dictionary key generation |
| Reported and fix provided by David Drysdale @ Google |
| |
| Upstream-Status: Backport |
| |
| CVE-2015-7497 |
| |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| dict.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| diff --git a/dict.c b/dict.c |
| index 5f71d55..8c8f931 100644 |
| --- a/dict.c |
| +++ b/dict.c |
| @@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, |
| value += 30 * (*prefix); |
| |
| if (len > 10) { |
| - value += name[len - (plen + 1 + 1)]; |
| + int offset = len - (plen + 1 + 1); |
| + if (offset < 0) |
| + offset = len - (10 + 1); |
| + value += name[offset]; |
| len = 10; |
| if (plen > 10) |
| plen = 10; |
| -- |
| 2.3.5 |
| |