After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 680924 - Off-by-one read in pattern parsing
Off-by-one read in pattern parsing
Status: RESOLVED FIXED
Product: libxslt
Classification: Platform
Component: general
1.1.26
Other All
: Normal major
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2012-07-31 17:03 UTC by Nicolas Gregoire
Modified: 2012-09-07 03:46 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Nicolas Gregoire 2012-07-31 17:03:59 UTC
Processing a pattern with an odd number of quotes will read one byte after the end of the allocated buffer:

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
	<xsl:template match="x'x"/>
</xsl:stylesheet>

Valgrind output log:

==3901== Invalid read of size 1
==3901==    at 0x40D20BE: xsltCompilePatternInternal (pattern.c:1853)
==3901==    by 0x40D2C59: xsltAddTemplate (pattern.c:2040)
==3901==    by 0x40CA3A2: xsltParseStylesheetTop (xslt.c:5413)
==3901==    by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414)
==3901==    by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627)
==3901==    by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666)
==3901==    by 0x804A7F3: main (xsltproc.c:830)
==3901==  Address 0x43e579c is 0 bytes after a block of size 4 alloc'd
==3901==    at 0x4024F20: malloc (vg_replace_malloc.c:236)
==3901==    by 0x41A85FC: xmlStrndup (xmlstring.c:45)
==3901==    by 0x41A86DF: xmlStrdup (xmlstring.c:71)
==3901==    by 0x4151125: xmlGetPropNodeValueInternal (tree.c:6441)
==3901==    by 0x40CA119: xsltParseStylesheetTop (xslt.c:5352)
==3901==    by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414)
==3901==    by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627)
==3901==    by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666)
==3901==    by 0x804A7F3: main (xsltproc.c:830)
==3901==
Comment 1 Nick Wellnhofer 2012-07-31 18:55:06 UTC
Should be fixed in this commit:

http://git.gnome.org/browse/libxslt/commit/?id=fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
Comment 2 Nicolas Gregoire 2012-08-02 15:08:57 UTC
The proposed fix was tested and seems fine.
Comment 3 Daniel Veillard 2012-09-07 03:46:28 UTC
Okay, mark as fixed then !

   thanks!

Daniel