diff options
author | Pranjal Jumde <pjumde@apple.com> | 2016-03-07 06:34:26 -0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2016-05-23 15:01:07 +0800 |
commit | cbb271655cadeb8dbb258a64701d9a3a0c4835b4 (patch) | |
tree | c500b5ca66cff84dba03bfb021855b853aaf7ff4 | |
parent | 40fd6d2a1b9dfc8ef5b428c9df7bdcb3398d6bd3 (diff) | |
download | libxml2-CVE-2016-1840.tar.gz |
Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711>CVE-2016-1840
* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error. Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.
-rw-r--r-- | xmlregexp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/xmlregexp.c b/xmlregexp.c index 727fef4d..ca3b4f46 100644 --- a/xmlregexp.c +++ b/xmlregexp.c @@ -5057,11 +5057,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { ERROR("Expecting the end of a char range"); return; } - NEXTL(len); + /* TODO check that the values are acceptable character ranges for XML */ if (end < start) { ERROR("End of range is before start of range"); } else { + NEXTL(len); xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, XML_REGEXP_CHARVAL, start, end, NULL); } |