summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Wellnhofer <wellnhofer@aevum.de>2016-05-05 15:12:48 +0200
committerNick Wellnhofer <wellnhofer@aevum.de>2016-05-05 15:18:32 +0200
commit87c3d9ea214fc0503fd8130b6dd97431d69cc066 (patch)
tree628a723c1957980f645acbe355c61c42acd90582
parent6cc3abbfbc2405a434380d39948e7fbc0515d665 (diff)
downloadlibxslt-1.1.29-rc2.tar.gz
Fix OOB heap read in xsltExtModuleRegisterDynamicv1.1.29-rc2
xsltExtModuleRegisterDynamic would read a byte before the start of a string under certain circumstances. I looks like this piece code was supposed to strip characters from the end of the extension name, but it didn't have any effect. Don't read beyond the beginning of the string and actually strip unwanted characters. Found with afl-fuzz and ASan.
-rw-r--r--libxslt/extensions.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 5ad73cb9..ae6eef08 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
i++;
}
- if (*(i - 1) == '_')
+ /* Strip underscores from end of string. */
+ while (i > ext_name && *(i - 1) == '_') {
+ i--;
*i = '\0';
+ }
/* determine module directory */
ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");