Fix OOB heap read in xsltExtModuleRegisterDynamicv1.1.29-rc2

xsltExtModuleRegisterDynamic would read a byte before the start of a string under certain circumstances. I looks like this piece code was supposed to strip characters from the end of the extension name, but it didn't have any effect. Don't read beyond the beginning of the string and actually strip unwanted characters. Found with afl-fuzz and ASan.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2016-05-05 15:12:48 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2016-05-05 15:18:32 +0200
commit: 87c3d9ea214fc0503fd8130b6dd97431d69cc066 (patch)
tree: 628a723c1957980f645acbe355c61c42acd90582
parent: 6cc3abbfbc2405a434380d39948e7fbc0515d665 (diff)
download: libxslt-1.1.29-rc2.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 5ad73cb9..ae6eef08 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
         i++;
     }
 
-    if (*(i - 1) == '_')
+    /* Strip underscores from end of string. */
+    while (i > ext_name && *(i - 1) == '_') {
+        i--;
         *i = '\0';
+    }
 
     /* determine module directory */
     ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");
author	Nick Wellnhofer <wellnhofer@aevum.de>	2016-05-05 15:12:48 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2016-05-05 15:18:32 +0200
commit	87c3d9ea214fc0503fd8130b6dd97431d69cc066 (patch)
tree	628a723c1957980f645acbe355c61c42acd90582
parent	6cc3abbfbc2405a434380d39948e7fbc0515d665 (diff)
download	libxslt-1.1.29-rc2.tar.gz