mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-26 00:37:43 +03:00 
			
		
		
		
	Fix out-of-bounds read with 'xmllint --htmlout'
Make sure that truncated UTF-8 sequences don't cause an out-of-bounds array access. Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for the report. Fixes #178.
This commit is contained in:
		| @@ -528,6 +528,12 @@ static void | |||||||
| xmlHTMLEncodeSend(void) { | xmlHTMLEncodeSend(void) { | ||||||
|     char *result; |     char *result; | ||||||
|  |  | ||||||
|  |     /* | ||||||
|  |      * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might | ||||||
|  |      * end with a truncated UTF-8 sequence. This is a hack to at least avoid | ||||||
|  |      * an out-of-bounds read. | ||||||
|  |      */ | ||||||
|  |     memset(&buffer[sizeof(buffer)-4], 0, 4); | ||||||
|     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); |     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); | ||||||
|     if (result) { |     if (result) { | ||||||
| 	xmlGenericError(xmlGenericErrorContext, "%s", result); | 	xmlGenericError(xmlGenericErrorContext, "%s", result); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user