Commit 6360a31a authored by David Drysdale's avatar David Drysdale Committed by Daniel Veillard

CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey

For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
parent 53ac9c96
......@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
value += 30 * (*prefix);
if (len > 10) {
value += name[len - (plen + 1 + 1)];
int offset = len - (plen + 1 + 1);
if (offset < 0)
offset = len - (10 + 1);
value += name[offset];
len = 10;
if (plen > 10)
plen = 10;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment