CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey

For https://bugzilla.gnome.org/show_bug.cgi?id=756528 It was possible to hit a negative offset in the name indexing used to randomize the dictionary key generation Reported and fix provided by David Drysdale @ Google
GNOME · Nov 20, 2015 · 6360a31 · 6360a31
1 parent 53ac9c9
commit 6360a31
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/dict.c b/dict.c
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
 	value += 30 * (*prefix);
 
     if (len > 10) {
-        value += name[len - (plen + 1 + 1)];
+        int offset = len - (plen + 1 + 1);
+	if (offset < 0)
+	    offset = len - (10 + 1);
+	value += name[offset];
         len = 10;
 	if (plen > 10)
 	    plen = 10;