File: CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch

package info (click to toggle)

libxml2.9 2.12.7%2Bdfsg%2Breally2.9.14-2.2

links: PTS, VCS
area: main
in suites: forky, sid
size: 34,204 kB
sloc: ansic: 198,619; xml: 23,237; python: 21,469; sh: 5,062; makefile: 2,110; javascript: 639; php: 365; perl: 67

file content (38 lines) | stat: -rw-r--r-- 1,189 bytes

parent folder | download | duplicates (3)

From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Apr 2023 11:49:27 +0200
Subject: [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
Origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
Bug-Debian: https://bugs.debian.org/1034437
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-29469

When hashing empty strings which aren't null-terminated,
xmlDictComputeFastKey could produce inconsistent results. This could
lead to various logic or memory errors, including double frees.

For consistency the seed is also taken into account, but this shouldn't
have an impact on security.

Found by OSS-Fuzz.

Fixes #510.
---
 dict.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dict.c b/dict.c
index c29d2af77a77..12ba94fd51b5 100644
--- a/dict.c
+++ b/dict.c
@@ -453,7 +453,8 @@ static unsigned long
 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
     unsigned long value = seed;
 
-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
     value += *name;
     value <<= 5;
     if (namelen > 10) {
-- 
2.40.0