diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-04-07 11:49:27 +0200 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-04-11 13:13:42 +0200 |
commit | 09a2dd453007f9c7205274623acdd73747c22d64 (patch) | |
tree | fb056a05852265054b65e917a9bdb6d8501802e3 | |
parent | 647e072ea0a2f12687fa05c172f4c4713fdb0c4f (diff) | |
download | libxml2-09a2dd453007f9c7205274623acdd73747c22d64.tar.gz |
[CVE-2023-29469] Hashing of empty dict strings isn't deterministic
When hashing empty strings which aren't null-terminated,
xmlDictComputeFastKey could produce inconsistent results. This could
lead to various logic or memory errors, including double frees.
For consistency the seed is also taken into account, but this shouldn't
have an impact on security.
Found by OSS-Fuzz.
Fixes #510.
-rw-r--r-- | dict.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -453,7 +453,8 @@ static unsigned long xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { unsigned long value = seed; - if (name == NULL) return(0); + if ((name == NULL) || (namelen <= 0)) + return(value); value += *name; value <<= 5; if (namelen > 10) { |