search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
python-treq: bump to version 16.12.0
[buildroot-gz.git] / package / libxslt / 0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
blob1ad494a6c0232f72ba0fe93474ec9d0b6805aa29
1 From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
2 From: Nick Wellnhofer <wellnhofer@aevum.de>
3 Date: Fri, 10 Jun 2016 14:23:58 +0200
4 Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
5
6 An empty decimal-separator could cause a heap overread. This can be
7 exploited to leak a couple of bytes after the buffer that holds the
8 pattern string.
9
10 Found with afl-fuzz and ASan.
11
12 Signed-off-by: Baruch Siach <baruch@tkos.co.il>
13 ---
14 Patch status: upstream commit eb1030de311
15
16 libxslt/numbers.c | 3 ++-
17 1 file changed, 2 insertions(+), 1 deletion(-)
18
19 diff --git a/libxslt/numbers.c b/libxslt/numbers.c
20 index d1549b46ca26..e78c46b6357b 100644
21 --- a/libxslt/numbers.c
22 +++ b/libxslt/numbers.c
23 @@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
24 }
25
26 /* We have finished the integer part, now work on fraction */
27 - if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
28 + if ( (*the_format != 0) &&
29 + (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
30 format_info.add_decimal = TRUE;
31 the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
32 }
33 --
34 2.10.2
35
My buildroot patches