File libxml2-2.9.1-CVE-2016-4483.patch of Package libxml2.2672
From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 May 2016 13:39:13 +0800
Subject: Avoid an out of bound access when serializing malformed strings
For https://bugzilla.gnome.org/show_bug.cgi?id=766414
* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value
is not UTF-8 be more careful when serializing it as we may do an
out of bound access as a result.
---
xmlsave.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xmlsave.c b/xmlsave.c
index 774404b..4a8e3f3 100644
--- a/xmlsave.c
+++ b/xmlsave.c
@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
xmlBufAdd(buf, BAD_CAST "&", 5);
cur++;
base = cur;
- } else if ((*cur >= 0x80) && ((doc == NULL) ||
- (doc->encoding == NULL))) {
+ } else if ((*cur >= 0x80) && (cur[1] != 0) &&
+ ((doc == NULL) || (doc->encoding == NULL))) {
/*
* We assume we have UTF-8 content.
*/
@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
val <<= 6;
val |= (cur[1]) & 0x3F;
l = 2;
- } else if (*cur < 0xF0) {
+ } else if ((*cur < 0xF0) && (cur [2] != 0)) {
val = (cur[0]) & 0x0F;
val <<= 6;
val |= (cur[1]) & 0x3F;
val <<= 6;
val |= (cur[2]) & 0x3F;
l = 3;
- } else if (*cur < 0xF8) {
+ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) {
val = (cur[0]) & 0x07;
val <<= 6;
val |= (cur[1]) & 0x3F;
--
cgit v0.12