Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711>CVE-2016-1840

* xmlregexp.c: (xmlFAParseCharRange): Only advance to the next character if there is no error. Advancing to the next character in case of an error while parsing regexp leads to an out of bounds access.
author: Pranjal Jumde <pjumde@apple.com> 2016-03-07 06:34:26 -0800
committer: Daniel Veillard <veillard@redhat.com> 2016-05-23 15:01:07 +0800
commit: cbb271655cadeb8dbb258a64701d9a3a0c4835b4 (patch)
tree: c500b5ca66cff84dba03bfb021855b853aaf7ff4
parent: 40fd6d2a1b9dfc8ef5b428c9df7bdcb3398d6bd3 (diff)
download: libxml2-CVE-2016-1840.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/xmlregexp.c b/xmlregexp.c
index 727fef4d..ca3b4f46 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -5057,11 +5057,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
 	ERROR("Expecting the end of a char range");
 	return;
     }
-    NEXTL(len);
+
     /* TODO check that the values are acceptable character ranges for XML */
     if (end < start) {
 	ERROR("End of range is before start of range");
     } else {
+        NEXTL(len);
         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
 		           XML_REGEXP_CHARVAL, start, end, NULL);
     }
author	Pranjal Jumde <pjumde@apple.com>	2016-03-07 06:34:26 -0800
committer	Daniel Veillard <veillard@redhat.com>	2016-05-23 15:01:07 +0800
commit	cbb271655cadeb8dbb258a64701d9a3a0c4835b4 (patch)
tree	c500b5ca66cff84dba03bfb021855b853aaf7ff4
parent	40fd6d2a1b9dfc8ef5b428c9df7bdcb3398d6bd3 (diff)
download	libxml2-CVE-2016-1840.tar.gz