2023-06-08 11:26:54 +08:00
|
|
|
From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
|
2023-04-20 22:01:00 +08:00
|
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
|
|
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
|
|
|
|
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
|
|
|
|
deterministic
|
|
|
|
|
|
|
|
|
|
When hashing empty strings which aren't null-terminated,
|
|
|
|
|
xmlDictComputeFastKey could produce inconsistent results. This could
|
|
|
|
|
lead to various logic or memory errors, including double frees.
|
|
|
|
|
|
|
|
|
|
For consistency the seed is also taken into account, but this shouldn't
|
|
|
|
|
have an impact on security.
|
|
|
|
|
|
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
|
|
|
|
|
|
Fixes #510.
|
2023-06-08 11:26:54 +08:00
|
|
|
|
|
|
|
|
Reference:https://github.com/GNOME/libxml2/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
|
|
|
|
|
Conflict:NA
|
|
|
|
|
|
2023-04-20 22:01:00 +08:00
|
|
|
---
|
|
|
|
|
dict.c | 3 ++-
|
|
|
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/dict.c b/dict.c
|
2023-06-08 11:26:54 +08:00
|
|
|
index 90e4d81..e39e8a4 100644
|
2023-04-20 22:01:00 +08:00
|
|
|
--- a/dict.c
|
|
|
|
|
+++ b/dict.c
|
|
|
|
|
@@ -451,7 +451,8 @@ static unsigned long
|
|
|
|
|
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
|
|
|
|
unsigned long value = seed;
|
|
|
|
|
|
|
|
|
|
- if (name == NULL) return(0);
|
|
|
|
|
+ if ((name == NULL) || (namelen <= 0))
|
|
|
|
|
+ return(value);
|
|
|
|
|
value += *name;
|
|
|
|
|
value <<= 5;
|
|
|
|
|
if (namelen > 10) {
|
|
|
|
|
--
|
|
|
|
|
2.27.0
|
|
|
|
|
|
