153aa9179Sopenharmony_ciFrom 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de>
353aa9179Sopenharmony_ciDate: Fri, 7 Apr 2023 11:49:27 +0200
453aa9179Sopenharmony_ciSubject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
553aa9179Sopenharmony_ci deterministic
653aa9179Sopenharmony_ci
753aa9179Sopenharmony_ciWhen hashing empty strings which aren't null-terminated,
853aa9179Sopenharmony_cixmlDictComputeFastKey could produce inconsistent results. This could
953aa9179Sopenharmony_cilead to various logic or memory errors, including double frees.
1053aa9179Sopenharmony_ci
1153aa9179Sopenharmony_ciFor consistency the seed is also taken into account, but this shouldn't
1253aa9179Sopenharmony_cihave an impact on security.
1353aa9179Sopenharmony_ci
1453aa9179Sopenharmony_ciFound by OSS-Fuzz.
1553aa9179Sopenharmony_ci
1653aa9179Sopenharmony_ciFixes #510.
1753aa9179Sopenharmony_ci
1853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
1953aa9179Sopenharmony_ciConflict:NA
2053aa9179Sopenharmony_ci
2153aa9179Sopenharmony_ci---
2253aa9179Sopenharmony_ci dict.c | 3 ++-
2353aa9179Sopenharmony_ci 1 file changed, 2 insertions(+), 1 deletion(-)
2453aa9179Sopenharmony_ci
2553aa9179Sopenharmony_cidiff --git a/dict.c b/dict.c
2653aa9179Sopenharmony_ciindex 90e4d81..e39e8a4 100644
2753aa9179Sopenharmony_ci--- a/dict.c
2853aa9179Sopenharmony_ci+++ b/dict.c
2953aa9179Sopenharmony_ci@@ -451,7 +451,8 @@ static unsigned long
3053aa9179Sopenharmony_ci xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
3153aa9179Sopenharmony_ci     unsigned long value = seed;
3253aa9179Sopenharmony_ci 
3353aa9179Sopenharmony_ci-    if (name == NULL) return(0);
3453aa9179Sopenharmony_ci+    if ((name == NULL) || (namelen <= 0))
3553aa9179Sopenharmony_ci+        return(value);
3653aa9179Sopenharmony_ci     value += *name;
3753aa9179Sopenharmony_ci     value <<= 5;
3853aa9179Sopenharmony_ci     if (namelen > 10) {
3953aa9179Sopenharmony_ci-- 
4053aa9179Sopenharmony_ci2.27.0
4153aa9179Sopenharmony_ci
42