Bug 675917 – Off-by-one in rc4_decrypt ?

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 675917 - Off-by-one in rc4_decrypt ?


Summary:	Off-by-one in rc4_decrypt ?


Status:	RESOLVED FIXED

Product:	libxslt
Classification:	Platform
Component:	general
Version:	1.1.26
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-05-11 23:52 UTC by Nicolas Gregoire
Modified:	2012-09-06 12:30 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Repro XSL file (522 bytes, application/octet-stream) 2012-05-11 23:52 UTC, Nicolas Gregoire	Details

Description Nicolas Gregoire 2012-05-11 23:52:26 UTC

Created attachment 213899 [details]
Repro XSL file

Using an ASan-enabled build (64 bits) => WRITE error:

==13065== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f340c04cf02 at pc 0x40b4c1 bp 0x7fff4aa83f00 sp 0x7fff4aa83ee8
WRITE of size 1 at 0x7f340c04cf02 thread T0
    #0 0x40b4c1 (/usr/local/bin/xsltproc+0x40b4c1)
    #1 0x7f340d4a2a57 (/usr/local/bin/xsltproc+0x7f340d4a2a57)
0x7f340c04cf02 is located 2 bytes to the right of 128-byte region [0x7f340c04ce80,0x7f340c04cf00)
allocated by thread T0 here:
    #0 0x413ee2 (/usr/local/bin/xsltproc+0x413ee2)
    #1 0x7f340d9c7ea4 (/usr/local/bin/xsltproc+0x7f340d9c7ea4)
    #2 0x7f340d4884ac (/usr/local/bin/xsltproc+0x7f340d4884ac)

Using Valgrind (32 bits) => READ error:

==24651== Invalid read of size 1
==24651==    at 0x41A86CB: xmlStrdup (xmlstring.c:70)
==24651==    by 0x40E9130: xsltValueOf (transform.c:4431)
==24651==    by 0x40E5FA6: xsltApplySequenceConstructor (transform.c:2595)
==24651==    by 0x40E75E1: xsltApplyXSLTTemplate (transform.c:3044)
==24651==    by 0x40E7E41: xsltProcessOneNode (transform.c:2045)
==24651==    by 0x40EB8D9: xsltApplyStylesheetInternal (transform.c:6049)
==24651==    by 0x8049E11: xsltProcess (xsltproc.c:404)
==24651==    by 0x804A866: main (xsltproc.c:867)
==24651==  Address 0x43f8058 is 0 bytes after a block of size 128 alloc'd
==24651==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==24651==    by 0x40FA5BE: exsltCryptoRc4DecryptFunction (crypto.c:755)
==24651==    by 0x418CBEF: xmlXPathCompOpEval (xpath.c:13478)
==24651==    by 0x418C681: xmlXPathCompOpEval (xpath.c:13862)
==24651==    by 0x418EE11: xmlXPathRunEval (xpath.c:14432)
==24651==    by 0x418F438: xmlXPathCompiledEvalInternal (xpath.c:14792)
==24651==    by 0x418F655: xmlXPathCompiledEval (xpath.c:14855)
==24651==    by 0x40E90F1: xsltValueOf (transform.c:4418)
==24651==    by 0x40E5FA6: xsltApplySequenceConstructor (transform.c:2595)
==24651==    by 0x40E75E1: xsltApplyXSLTTemplate (transform.c:3044)
==24651==    by 0x40E7E41: xsltProcessOneNode (transform.c:2045)
==24651==    by 0x40EB8D9: xsltApplyStylesheetInternal (transform.c:6049)
==24651==

Comment 1 Nick Wellnhofer 2012-07-31 19:30:24 UTC

Proposed fix:

https://github.com/nwellnhof/libxslt/commit/2d000eeb190fd320b229f9e923030fb1f968b222

Comment 2 Nicolas Gregoire 2012-08-02 15:07:41 UTC

The proposed fix was tested and seems fine.

Comment 3 Daniel Veillard 2012-09-06 12:30:36 UTC

Oops, looks fine ! Pushed

http://git.gnome.org/browse/libxslt/commit/?id=3195073c740be579892c08cfc02efeae1a1c0dbd

  thanks !

Daniel