0e4141e559
- Added patch libxslt-CVE-2016-4738.patch * Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string. * bsc#1005591 CVE-2016-4738 OBS-URL: https://build.opensuse.org/request/show/479022 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=54
33 lines
1.0 KiB
Diff
33 lines
1.0 KiB
Diff
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Fri, 10 Jun 2016 14:23:58 +0200
|
|
Subject: Fix heap overread in xsltFormatNumberConversion
|
|
|
|
An empty decimal-separator could cause a heap overread. This can be
|
|
exploited to leak a couple of bytes after the buffer that holds the
|
|
pattern string.
|
|
|
|
Found with afl-fuzz and ASan.
|
|
---
|
|
libxslt/numbers.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
|
index d1549b4..e78c46b 100644
|
|
--- a/libxslt/numbers.c
|
|
+++ b/libxslt/numbers.c
|
|
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
|
|
}
|
|
|
|
/* We have finished the integer part, now work on fraction */
|
|
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
|
|
+ if ( (*the_format != 0) &&
|
|
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
|
|
format_info.add_decimal = TRUE;
|
|
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
|
|
}
|
|
--
|
|
cgit v0.12
|
|
|
|
|