43 lines
1.1 KiB
Diff
43 lines
1.1 KiB
Diff
From a40db8fde759261b042138646da36c632a739f31 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Fri, 7 Apr 2023 11:49:27 +0200
|
|
Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
|
|
deterministic
|
|
|
|
When hashing empty strings which aren't null-terminated,
|
|
xmlDictComputeFastKey could produce inconsistent results. This could
|
|
lead to various logic or memory errors, including double frees.
|
|
|
|
For consistency the seed is also taken into account, but this shouldn't
|
|
have an impact on security.
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
Fixes #510.
|
|
|
|
Incorporates change from commit
|
|
09a2dd453007f9c7205274623acdd73747c22d64.
|
|
---
|
|
dict.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/dict.c b/dict.c
|
|
index 0ef3718d..5e84cfca 100644
|
|
--- a/dict.c
|
|
+++ b/dict.c
|
|
@@ -444,8 +444,9 @@ static unsigned long
|
|
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
|
|
unsigned long value = seed;
|
|
|
|
- if (name == NULL) return(0);
|
|
- value = *name;
|
|
+ if ((name == NULL) || (namelen <= 0))
|
|
+ return(value);
|
|
+ value += *name;
|
|
value <<= 5;
|
|
if (namelen > 10) {
|
|
value += name[namelen - 1];
|
|
--
|
|
2.41.0
|
|
|