1*ebc59d3fSDon LewisFrom 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 2*ebc59d3fSDon LewisFrom: Nick Wellnhofer <wellnhofer@aevum.de> 3*ebc59d3fSDon LewisDate: Fri, 7 Aug 2020 21:54:27 +0200 4*ebc59d3fSDon LewisSubject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' 5*ebc59d3fSDon Lewis 6*ebc59d3fSDon LewisMake sure that truncated UTF-8 sequences don't cause an out-of-bounds 7*ebc59d3fSDon Lewisarray access. 8*ebc59d3fSDon Lewis 9*ebc59d3fSDon LewisThanks to @SuhwanSong and the Agency for Defense Development (ADD) for 10*ebc59d3fSDon Lewisthe report. 11*ebc59d3fSDon Lewis 12*ebc59d3fSDon LewisFixes #178. 13*ebc59d3fSDon Lewis--- 14*ebc59d3fSDon Lewis xmllint.c | 6 ++++++ 15*ebc59d3fSDon Lewis 1 file changed, 6 insertions(+) 16*ebc59d3fSDon Lewis 17*ebc59d3fSDon Lewisdiff --git misc/libxml2-2.9.10/xmllint.c misc/build/libxml2-2.9.10/xmllint.c 18*ebc59d3fSDon Lewisindex f6a8e4636..c647486f3 100644 19*ebc59d3fSDon Lewis--- misc/libxml2-2.9.10/xmllint.c 20*ebc59d3fSDon Lewis+++ misc/build/libxml2-2.9.10/xmllint.c 21*ebc59d3fSDon Lewis@@ -528,6 +528,12 @@ static void 22*ebc59d3fSDon Lewis xmlHTMLEncodeSend(void) { 23*ebc59d3fSDon Lewis char *result; 24*ebc59d3fSDon Lewis 25*ebc59d3fSDon Lewis+ /* 26*ebc59d3fSDon Lewis+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might 27*ebc59d3fSDon Lewis+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid 28*ebc59d3fSDon Lewis+ * an out-of-bounds read. 29*ebc59d3fSDon Lewis+ */ 30*ebc59d3fSDon Lewis+ memset(&buffer[sizeof(buffer)-4], 0, 4); 31*ebc59d3fSDon Lewis result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); 32*ebc59d3fSDon Lewis if (result) { 33*ebc59d3fSDon Lewis xmlGenericError(xmlGenericErrorContext, "%s", result); 34*ebc59d3fSDon Lewis-- 35*ebc59d3fSDon LewisGitLab 36*ebc59d3fSDon Lewis 37