38 lines
1.0 KiB
Diff
38 lines
1.0 KiB
Diff
From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
|
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
|
deterministic
|
|
|
|
When hashing empty strings which aren't null-terminated,
|
|
xmlDictComputeFastKey could produce inconsistent results. This could
|
|
lead to various logic or memory errors, including double frees.
|
|
|
|
For consistency the seed is also taken into account, but this shouldn't
|
|
have an impact on security.
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
Fixes #510.
|
|
---
|
|
dict.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/dict.c b/dict.c
|
|
index 26ce516d..57b76fae 100644
|
|
--- a/dict.c
|
|
+++ b/dict.c
|
|
@@ -451,7 +451,8 @@ static unsigned long
|
|
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
|
unsigned long value = seed;
|
|
|
|
- if (name == NULL) return(0);
|
|
+ if ((name == NULL) || (namelen <= 0))
|
|
+ return(value);
|
|
value += *name;
|
|
value <<= 5;
|
|
if (namelen > 10) {
|
|
--
|
|
2.27.0
|
|
|