Nick Wellnhofer 96a5c17ee1 Fix OOB read with invalid UTF-8 in xmlUTF8Strsize ...

With certain invalid UTF-8, xmlUTF8Strsize can read up to 6 bytes
beyond the end of the string and return the wrong size.

This means that in xmlUTF8Strndup and similar code, some content behind
the string is copied. But since the terminating \0 is copied as well,
this probably can't be exploited to leak sensitive information.

Found by afl-fuzz and ASan.

2016-04-23 18:44:27 +02:00

24 KiB

Raw Permalink Blame History

View Raw