From fb56f80eeffde4b79a49667c3f0727181d57aeb3 Mon Sep 17 00:00:00 2001 From: David Kilzer Date: Tue, 4 Jul 2017 18:38:03 +0200 Subject: [PATCH] Heap-buffer-overflow read of size 1 in xmlFAParsePosCharGroup Credit to OSS-Fuzz. Add a check to xmlFAParseCharRange() for the end of the buffer to prevent reading past the end of it. This fixes Bug 784017. --- xmlregexp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmlregexp.c b/xmlregexp.c index 019399fd..b640264b 100644 --- a/xmlregexp.c +++ b/xmlregexp.c @@ -5053,7 +5053,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { return; } len = 1; - } else if ((cur != 0x5B) && (cur != 0x5D)) { + } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) { end = CUR_SCHAR(ctxt->cur, len); } else { ERROR("Expecting the end of a char range");