1From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Fri, 7 Aug 2020 21:54:27 +0200 4Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' 5 6Make sure that truncated UTF-8 sequences don't cause an out-of-bounds 7array access. 8 9Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for 10the report. 11 12Fixes #178. 13--- 14 xmllint.c | 6 ++++++ 15 1 file changed, 6 insertions(+) 16 17diff --git misc/libxml2-2.9.10/xmllint.c misc/build/libxml2-2.9.10/xmllint.c 18index f6a8e4636..c647486f3 100644 19--- misc/libxml2-2.9.10/xmllint.c 20+++ misc/build/libxml2-2.9.10/xmllint.c 21@@ -528,6 +528,12 @@ static void 22 xmlHTMLEncodeSend(void) { 23 char *result; 24 25+ /* 26+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might 27+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid 28+ * an out-of-bounds read. 29+ */ 30+ memset(&buffer[sizeof(buffer)-4], 0, 4); 31 result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); 32 if (result) { 33 xmlGenericError(xmlGenericErrorContext, "%s", result); 34-- 35GitLab 36 37