libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch

   1 From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
   2 From: Nick Wellnhofer <wellnhofer@aevum.de>
   3 Date: Fri, 10 Jun 2016 14:23:58 +0200
   4 Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
   5
   6 An empty decimal-separator could cause a heap overread. This can be
   7 exploited to leak a couple of bytes after the buffer that holds the
   8 pattern string.
   9
  10 Found with afl-fuzz and ASan.
  11 ---
  12  libxslt/numbers.c | 3 ++-
  13  1 file changed, 2 insertions(+), 1 deletion(-)
  14
  15 diff --git a/libxslt/numbers.c b/libxslt/numbers.c
  16 index d1549b4..e78c46b 100644
  17 --- a/libxslt/numbers.c
  18 +++ b/libxslt/numbers.c
  19 @@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
  20      }
  21
  22      /* We have finished the integer part, now work on fraction */
  23 -    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
  24 +    if ( (*the_format != 0) &&
  25 +         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
  26          format_info.add_decimal = TRUE;
  27         the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
  28      }
  29 --
  30 2.10.2
  31