[CVE-2023-29469] Hashing of empty dict strings isn't deterministic

When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees. For consistency the seed is also taken into account, but this shouldn't have an impact on security. Found by OSS-Fuzz. Fixes #510.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2023-04-07 11:49:27 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2023-04-11 13:13:42 +0200
commit: 09a2dd453007f9c7205274623acdd73747c22d64 (patch)
tree: fb056a05852265054b65e917a9bdb6d8501802e3
parent: 647e072ea0a2f12687fa05c172f4c4713fdb0c4f (diff)
download: libxml2-09a2dd453007f9c7205274623acdd73747c22d64.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/dict.c b/dict.c
index c29d2af7..12ba94fd 100644
--- a/dict.c
+++ b/dict.c
@@ -453,7 +453,8 @@ static unsigned long
 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
     unsigned long value = seed;
 
-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
     value += *name;
     value <<= 5;
     if (namelen > 10) {
author	Nick Wellnhofer <wellnhofer@aevum.de>	2023-04-07 11:49:27 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2023-04-11 13:13:42 +0200
commit	09a2dd453007f9c7205274623acdd73747c22d64 (patch)
tree	fb056a05852265054b65e917a9bdb6d8501802e3
parent	647e072ea0a2f12687fa05c172f4c4713fdb0c4f (diff)
download	libxml2-09a2dd453007f9c7205274623acdd73747c22d64.tar.gz