153aa9179Sopenharmony_ciFrom 2876ac5392a4e891b81e40e592c3ac6cb46016ce Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Wed, 8 May 2024 11:49:31 +0200 453aa9179Sopenharmony_ciSubject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciAdd a missing bounds check. 753aa9179Sopenharmony_ci--- 853aa9179Sopenharmony_ci xmllint.c | 2 +- 953aa9179Sopenharmony_ci 1 file changed, 1 insertion(+), 1 deletion(-) 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_cidiff --git a/xmllint.c b/xmllint.c 1253aa9179Sopenharmony_ciindex 82a878651..4d84c640b 100644 1353aa9179Sopenharmony_ci--- a/xmllint.c 1453aa9179Sopenharmony_ci+++ b/xmllint.c 1553aa9179Sopenharmony_ci@@ -599,7 +599,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { 1653aa9179Sopenharmony_ci len = strlen(buffer); 1753aa9179Sopenharmony_ci snprintf(&buffer[len], sizeof(buffer) - len, "\n"); 1853aa9179Sopenharmony_ci cur = input->cur; 1953aa9179Sopenharmony_ci- while ((*cur == '\n') || (*cur == '\r')) 2053aa9179Sopenharmony_ci+ while ((cur > base) && ((*cur == '\n') || (*cur == '\r'))) 2153aa9179Sopenharmony_ci cur--; 2253aa9179Sopenharmony_ci n = 0; 2353aa9179Sopenharmony_ci while ((cur != base) && (n++ < 80)) { 2453aa9179Sopenharmony_ci-- 2553aa9179Sopenharmony_ciGitLab 2653aa9179Sopenharmony_ci 27