1*2a621114SDon LewisFrom 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 2*2a621114SDon LewisFrom: Nick Wellnhofer <wellnhofer@aevum.de> 3*2a621114SDon LewisDate: Fri, 7 Aug 2020 21:54:27 +0200 4*2a621114SDon LewisSubject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' 5*2a621114SDon Lewis 6*2a621114SDon LewisMake sure that truncated UTF-8 sequences don't cause an out-of-bounds 7*2a621114SDon Lewisarray access. 8*2a621114SDon Lewis 9*2a621114SDon LewisThanks to @SuhwanSong and the Agency for Defense Development (ADD) for 10*2a621114SDon Lewisthe report. 11*2a621114SDon Lewis 12*2a621114SDon LewisFixes #178. 13*2a621114SDon Lewis--- 14*2a621114SDon Lewis xmllint.c | 6 ++++++ 15*2a621114SDon Lewis 1 file changed, 6 insertions(+) 16*2a621114SDon Lewis 17*2a621114SDon Lewisdiff --git misc/libxml2-2.9.10/xmllint.c misc/build/libxml2-2.9.10/xmllint.c 18*2a621114SDon Lewisindex f6a8e4636..c647486f3 100644 19*2a621114SDon Lewis--- misc/libxml2-2.9.10/xmllint.c 20*2a621114SDon Lewis+++ misc/build/libxml2-2.9.10/xmllint.c 21*2a621114SDon Lewis@@ -528,6 +528,12 @@ static void 22*2a621114SDon Lewis xmlHTMLEncodeSend(void) { 23*2a621114SDon Lewis char *result; 24*2a621114SDon Lewis 25*2a621114SDon Lewis+ /* 26*2a621114SDon Lewis+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might 27*2a621114SDon Lewis+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid 28*2a621114SDon Lewis+ * an out-of-bounds read. 29*2a621114SDon Lewis+ */ 30*2a621114SDon Lewis+ memset(&buffer[sizeof(buffer)-4], 0, 4); 31*2a621114SDon Lewis result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); 32*2a621114SDon Lewis if (result) { 33*2a621114SDon Lewis xmlGenericError(xmlGenericErrorContext, "%s", result); 34*2a621114SDon Lewis-- 35*2a621114SDon LewisGitLab 36*2a621114SDon Lewis 37