[libxslt] Fix OOB heap read in xsltExtModuleRegisterDynamic

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxslt] Fix OOB heap read in xsltExtModuleRegisterDynamic
Date: Thu, 5 May 2016 15:47:58 +0000 (UTC)

commit 87c3d9ea214fc0503fd8130b6dd97431d69cc066
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu May 5 15:12:48 2016 +0200

    Fix OOB heap read in xsltExtModuleRegisterDynamic
    
    xsltExtModuleRegisterDynamic would read a byte before the start of a
    string under certain circumstances. I looks like this piece code was
    supposed to strip characters from the end of the extension name, but
    it didn't have any effect. Don't read beyond the beginning of the
    string and actually strip unwanted characters.
    
    Found with afl-fuzz and ASan.

 libxslt/extensions.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 5ad73cb..ae6eef0 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
         i++;
     }
 
-    if (*(i - 1) == '_')
+    /* Strip underscores from end of string. */
+    while (i > ext_name && *(i - 1) == '_') {
+        i--;
         *i = '\0';
+    }
 
     /* determine module directory */
     ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]