1*93fd6e3dSDon LewisFrom 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 2*93fd6e3dSDon LewisFrom: Nick Wellnhofer <wellnhofer@aevum.de> 3*93fd6e3dSDon LewisDate: Fri, 7 Aug 2020 21:54:27 +0200 4*93fd6e3dSDon LewisSubject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' 5*93fd6e3dSDon Lewis 6*93fd6e3dSDon LewisMake sure that truncated UTF-8 sequences don't cause an out-of-bounds 7*93fd6e3dSDon Lewisarray access. 8*93fd6e3dSDon Lewis 9*93fd6e3dSDon LewisThanks to @SuhwanSong and the Agency for Defense Development (ADD) for 10*93fd6e3dSDon Lewisthe report. 11*93fd6e3dSDon Lewis 12*93fd6e3dSDon LewisFixes #178. 13*93fd6e3dSDon Lewis--- 14*93fd6e3dSDon Lewis xmllint.c | 6 ++++++ 15*93fd6e3dSDon Lewis 1 file changed, 6 insertions(+) 16*93fd6e3dSDon Lewis 17*93fd6e3dSDon Lewisdiff --git misc/libxml2-2.9.10/xmllint.c misc/build/libxml2-2.9.10/xmllint.c 18*93fd6e3dSDon Lewisindex f6a8e4636..c647486f3 100644 19*93fd6e3dSDon Lewis--- misc/libxml2-2.9.10/xmllint.c 20*93fd6e3dSDon Lewis+++ misc/build/libxml2-2.9.10/xmllint.c 21*93fd6e3dSDon Lewis@@ -528,6 +528,12 @@ static void 22*93fd6e3dSDon Lewis xmlHTMLEncodeSend(void) { 23*93fd6e3dSDon Lewis char *result; 24*93fd6e3dSDon Lewis 25*93fd6e3dSDon Lewis+ /* 26*93fd6e3dSDon Lewis+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might 27*93fd6e3dSDon Lewis+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid 28*93fd6e3dSDon Lewis+ * an out-of-bounds read. 29*93fd6e3dSDon Lewis+ */ 30*93fd6e3dSDon Lewis+ memset(&buffer[sizeof(buffer)-4], 0, 4); 31*93fd6e3dSDon Lewis result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); 32*93fd6e3dSDon Lewis if (result) { 33*93fd6e3dSDon Lewis xmlGenericError(xmlGenericErrorContext, "%s", result); 34*93fd6e3dSDon Lewis-- 35*93fd6e3dSDon LewisGitLab 36*93fd6e3dSDon Lewis 37