Overview

File Fix-for-CVE-2019-20007-ezxml-bug-13.patch of Package netcdf

From: Egbert Eich <eich@suse.com>
Date: Mon Oct 25 15:44:01 2021 +0200
Subject: Fix for CVE-2019-20007 / ezxml bug 13
Patch-mainline: Not yet
Git-commit: 42372bd1a026bcfdcda2f3c45d724151fd9e1379
References: 

Make sure that ezxml_str2utf8() has succeeded.
This fixes
 https://sourceforge.net/p/ezxml/bugs/13/

Signed-off-by: Egbert Eich <eich@suse.com>
---
 netcdf-c-4.8.0/libdap4/ezxml.c | 1 +
 1 file changed, 1 insertion(+)
diff --git a/netcdf-c-4.8.0/libdap4/ezxml.c b/netcdf-c-4.8.0/libdap4/ezxml.c
index d60d4a3..144fa2d 100644
--- a/libdap4/ezxml.c
+++ b/libdap4/ezxml.c
@@ -485,6 +485,7 @@ ezxml_t ezxml_parse_str(char *s, size_t len)
     root->m = s;
     if (! len) return ezxml_err(root, NULL, "root tag missing");
     root->u = ezxml_str2utf8(&s, &len); /* convert utf-16 to utf-8*/
+    if (! s) return ezxml_err(root, NULL, "invalid root tag"); // bug#13 / CVE-2019-20007
     root->e = (root->s = s) + len; /* record start and end of work area*/
 
     e = s[len - 1]; /* save end char*/
openSUSE Build Service is sponsored by
Places