After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 777730 - xmlParseNameComplex reads before the start of a heap buffer
xmlParseNameComplex reads before the start of a heap buffer
Status: RESOLVED DUPLICATE of bug 766956
Product: libxml2
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2017-01-25 04:47 UTC by Dominic Cooney
Modified: 2017-06-05 15:50 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Test case (117 bytes, text/xml)
2017-02-03 03:11 UTC, Dominic Cooney 		Details

Description Dominic Cooney 2017-01-25 04:47:42 UTC 
Note to self, this is https://crbug.com/683629 downstream.
Comment 1 Dominic Cooney 2017-02-03 03:11:36 UTC 
Created attachment 344830 [details]
Test case
Comment 2 Dominic Cooney 2017-02-03 03:13:38 UTC 
Chromium's fuzzers created the attached repro which causes xmlParseNameComplex to read one heap byte before the name buffer, when the name is empty.

Here's a local patch we are using to check the bounds before dereferencing, which may be useful:

https://chromium.googlesource.com/chromium/src/+/b4054e8b83b60019c8cdcc9e9025fc6138725cf4%5E%21/#F1

When this is fixed upstream we'll be happy to discard our local patch.
Comment 3 Nick Wellnhofer 2017-06-05 15:50:46 UTC 

*** This bug has been marked as a duplicate of bug 766956 ***