Commit 6ce8de69 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Fix uninitialized read with UTF-8 grouping chars

The character type in xsltFormatNumberConversion was too narrow and
an invalid character/length combination could be passed to
xsltNumberFormatDecimal, resulting in an uninitialized read.

Found by OSS-Fuzz.
parent b6199a23
......@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
number = floor((scale * number + 0.5)) / scale;
if ((self->grouping != NULL) &&
(self->grouping[0] != 0)) {
int gchar;
len = xmlStrlen(self->grouping);
pchar = xsltGetUTF8Char(self->grouping, &len);
gchar = xsltGetUTF8Char(self->grouping, &len);
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
format_info.integer_digits,
format_info.group,
pchar, len);
gchar, len);
} else
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
format_info.integer_digits,
......
<?xml version="1.0"?>
1⠢0
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:decimal-format name="f" grouping-separator="⠢"/>
<xsl:template match="/">
<xsl:value-of select="format-number(10,'#⠢0','f')"/>
</xsl:template>
</xsl:stylesheet>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment