| 1234567891011121314151617181920212223242526 |
- From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
- From: Nick Wellnhofer <wellnhofer@aevum.de>
- Date: Fri, 10 Jun 2016 14:23:58 +0200
- Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
- An empty decimal-separator could cause a heap overread. This can be
- exploited to leak a couple of bytes after the buffer that holds the
- pattern string.
- Found with afl-fuzz and ASan.
- ---
- libxslt/numbers.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
- --- a/libxslt/numbers.c
- +++ b/libxslt/numbers.c
- @@ -1109,7 +1109,8 @@ xsltFormatNumberConversion(xsltDecimalFo
- }
-
- /* We have finished the integer part, now work on fraction */
- - if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
- + if ( (*the_format != 0) &&
- + (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
- format_info.add_decimal = TRUE;
- the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
- }
|
