| From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 |
| From: Nick Wellnhofer <wellnhofer@aevum.de> |
| Date: Fri, 10 Jun 2016 14:23:58 +0200 |
| Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion |
| |
| An empty decimal-separator could cause a heap overread. This can be |
| exploited to leak a couple of bytes after the buffer that holds the |
| pattern string. |
| |
| Found with afl-fuzz and ASan. |
| |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| Patch status: upstream commit eb1030de311 |
| |
| libxslt/numbers.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/libxslt/numbers.c b/libxslt/numbers.c |
| index d1549b46ca26..e78c46b6357b 100644 |
| --- a/libxslt/numbers.c |
| +++ b/libxslt/numbers.c |
| @@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, |
| } |
| |
| /* We have finished the integer part, now work on fraction */ |
| - if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { |
| + if ( (*the_format != 0) && |
| + (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { |
| format_info.add_decimal = TRUE; |
| the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ |
| } |
| -- |
| 2.10.2 |
| |
