Commit eb1030de authored by Nick Wellnhofer's avatar Nick Wellnhofer

Fix heap overread in xsltFormatNumberConversion

An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Found with afl-fuzz and ASan.
parent 8345634c
......@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
if ( (*the_format != 0) &&
(xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment