| From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 |
| From: Nick Wellnhofer <wellnhofer@aevum.de> |
| Date: Fri, 7 Apr 2023 11:49:27 +0200 |
| Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't |
| deterministic |
| |
| When hashing empty strings which aren't null-terminated, |
| xmlDictComputeFastKey could produce inconsistent results. This could |
| lead to various logic or memory errors, including double frees. |
| |
| For consistency the seed is also taken into account, but this shouldn't |
| have an impact on security. |
| |
| Found by OSS-Fuzz. |
| |
| Fixes #510. |
| |
| CVE: CVE-2023-29469 |
| Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df] |
| |
| Signed-off-by: Peter Marko <peter.marko@siemens.com> |
| --- |
| dict.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/dict.c b/dict.c |
| index 86c3f6d7..d7fd1a06 100644 |
| --- a/dict.c |
| +++ b/dict.c |
| @@ -451,7 +451,8 @@ static unsigned long |
| xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { |
| unsigned long value = seed; |
| |
| - if (name == NULL) return(0); |
| + if ((name == NULL) || (namelen <= 0)) |
| + return(value); |
| value = *name; |
| value <<= 5; |
| if (namelen > 10) { |
| -- |
| GitLab |
| |