libxslt/libxslt-CVE-2019-13118.patch

From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Jun 2019 13:14:45 +0200
Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars

The character type in xsltFormatNumberConversion was too narrow and
an invalid character/length combination could be passed to
xsltNumberFormatDecimal, resulting in an uninitialized read.

Found by OSS-Fuzz.
---
 libxslt/numbers.c         | 5 +++--
 tests/docs/bug-222.xml    | 1 +
 tests/general/bug-222.out | 2 ++
 tests/general/bug-222.xsl | 6 ++++++
 4 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 tests/docs/bug-222.xml
 create mode 100644 tests/general/bug-222.out
 create mode 100644 tests/general/bug-222.xsl

diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index f1ed8846..20b99d5a 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
     number = floor((scale * number + 0.5)) / scale;
     if ((self->grouping != NULL) &&
         (self->grouping[0] != 0)) {
+        int gchar;
 
 	len = xmlStrlen(self->grouping);
-	pchar = xsltGetUTF8Char(self->grouping, &len);
+	gchar = xsltGetUTF8Char(self->grouping, &len);
 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
 				format_info.integer_digits,
 				format_info.group,
-				pchar, len);
+				gchar, len);
     } else
 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
 				format_info.integer_digits,
diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
new file mode 100644
index 00000000..69d62f2c
--- /dev/null
+++ b/tests/docs/bug-222.xml
@@ -0,0 +1 @@
+<doc/>
diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
new file mode 100644
index 00000000..e3139698
--- /dev/null
+++ b/tests/general/bug-222.out
@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+1⠢0
diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
new file mode 100644
index 00000000..e32dc473
--- /dev/null
+++ b/tests/general/bug-222.xsl
@@ -0,0 +1,6 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+  <xsl:decimal-format name="f" grouping-separator="⠢"/>
+  <xsl:template match="/">
+    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
+  </xsl:template>
+</xsl:stylesheet>
-- 
2.21.0