GNOME Bugzilla – Bug 680924
Off-by-one read in pattern parsing
Last modified: 2012-09-07 03:46:28 UTC
Processing a pattern with an odd number of quotes will read one byte after the end of the allocated buffer: <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <xsl:template match="x'x"/> </xsl:stylesheet> Valgrind output log: ==3901== Invalid read of size 1 ==3901== at 0x40D20BE: xsltCompilePatternInternal (pattern.c:1853) ==3901== by 0x40D2C59: xsltAddTemplate (pattern.c:2040) ==3901== by 0x40CA3A2: xsltParseStylesheetTop (xslt.c:5413) ==3901== by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414) ==3901== by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627) ==3901== by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666) ==3901== by 0x804A7F3: main (xsltproc.c:830) ==3901== Address 0x43e579c is 0 bytes after a block of size 4 alloc'd ==3901== at 0x4024F20: malloc (vg_replace_malloc.c:236) ==3901== by 0x41A85FC: xmlStrndup (xmlstring.c:45) ==3901== by 0x41A86DF: xmlStrdup (xmlstring.c:71) ==3901== by 0x4151125: xmlGetPropNodeValueInternal (tree.c:6441) ==3901== by 0x40CA119: xsltParseStylesheetTop (xslt.c:5352) ==3901== by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414) ==3901== by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627) ==3901== by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666) ==3901== by 0x804A7F3: main (xsltproc.c:830) ==3901==
Should be fixed in this commit: http://git.gnome.org/browse/libxslt/commit/?id=fe5a4fa33eb85bce3253ed3742b1ea6c4b59b41b
The proposed fix was tested and seems fine.
Okay, mark as fixed then ! thanks! Daniel