mirror of
https://git.yoctoproject.org/poky
synced 2026-05-02 09:32:14 +02:00
6abe713244
(From OE-Core rev: 5b72983d1a6d5ad5e9a21d2673d57d1da2333ac6) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
41 lines
1.0 KiB
Diff
41 lines
1.0 KiB
Diff
From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001
|
|
From: David Drysdale <drysdale@google.com>
|
|
Date: Fri, 20 Nov 2015 10:47:12 +0800
|
|
Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in
|
|
xmlDictComputeFastQKey
|
|
|
|
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
|
|
It was possible to hit a negative offset in the name indexing
|
|
used to randomize the dictionary key generation
|
|
Reported and fix provided by David Drysdale @ Google
|
|
|
|
Upstream-Status: Backport
|
|
|
|
CVE-2015-7497
|
|
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
|
|
---
|
|
dict.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/dict.c b/dict.c
|
|
index 5f71d55..8c8f931 100644
|
|
--- a/dict.c
|
|
+++ b/dict.c
|
|
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
|
|
value += 30 * (*prefix);
|
|
|
|
if (len > 10) {
|
|
- value += name[len - (plen + 1 + 1)];
|
|
+ int offset = len - (plen + 1 + 1);
|
|
+ if (offset < 0)
|
|
+ offset = len - (10 + 1);
|
|
+ value += name[offset];
|
|
len = 10;
|
|
if (plen > 10)
|
|
plen = 10;
|
|
--
|
|
2.3.5
|
|
|