summary refs log tree commit diff
path: root/gnu/packages/patches/libxslt-CVE-2016-4738.patch
blob: a7537c66caa855572fc0cf8ab98ec4c47dd90a4b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Fix CVE-2016-4738:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
https://bugs.chromium.org/p/chromium/issues/detail?id=619006

Patch copied from upstream source repository:
https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880

From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion

An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Found with afl-fuzz and ASan.
---
 libxslt/numbers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
     }
 
     /* We have finished the integer part, now work on fraction */
-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+    if ( (*the_format != 0) &&
+         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
         format_info.add_decimal = TRUE;
 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
     }
-- 
2.10.2