summaryrefslogtreecommitdiff
path: root/patches/source/libxml2/libxml.CVE-2011-3102.diff
blob: 4f6a92cbe7fb237e755d199ec948d89740bbb903 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001
From: Jüri Aedla <asd@ut.ee>
Date: Mon, 07 May 2012 07:06:56 +0000
Subject: Fix an off by one pointer access

getting out of the range of memory allocated for xpointer decoding
---
diff --git a/xpointer.c b/xpointer.c
index 37afa3a..0b463dd 100644
--- a/xpointer.c
+++ b/xpointer.c
@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
 		NEXT;
 		break;
 	    }
-	    *cur++ = CUR;
 	} else if (CUR == '(') {
 	    level++;
-	    *cur++ = CUR;
 	} else if (CUR == '^') {
-	    NEXT;
-	    if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
-		*cur++ = CUR;
-	    } else {
-		*cur++ = '^';
-		*cur++ = CUR;
-	    }
-	} else {
-	    *cur++ = CUR;
+            if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
+                NEXT;
+            }
 	}
+        *cur++ = CUR;
 	NEXT;
     }
     *cur = 0;
--
cgit v0.9.0.2