Fix OOB read with invalid UTF-8 in xmlUTF8Strsize With certain invalid UTF-8, xmlUTF8Strsize can read up to 6 bytes beyond the end of the string and return the wrong size. This means that in xmlUTF8Strndup and similar code, some content behind the string is copied. But since the terminating \0 is copied as well, this probably can't be exploited to leak sensitive information. Found by afl-fuzz and ASan.

commit: 96a5c17ee154add361abbae27b29c86e398fc1b9 [log] [tgz]
author: Nick Wellnhofer <wellnhofer@aevum.de> Thu Apr 21 19:03:47 2016 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> Sat Apr 23 18:44:27 2016 +0200
tree: ea6c659cffa683e2117eefca414548ca704055ce
parent: cad102b861f74d56e3f6e710c466cf1a38a5db56 [diff]
diff --git a/xmlstring.c b/xmlstring.c
index a37220d..b89c9e9 100644
--- a/xmlstring.c
+++ b/xmlstring.c

@@ -837,8 +837,8 @@
             break;
         if ( (ch = *ptr++) & 0x80)
             while ((ch<<=1) & 0x80 ) {
-                ptr++;
 		if (*ptr == 0) break;
+                ptr++;
 	    }
     }
     return (ptr - utf);
commit	96a5c17ee154add361abbae27b29c86e398fc1b9	[log] [tgz]
author	Nick Wellnhofer <wellnhofer@aevum.de>	Thu Apr 21 19:03:47 2016 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	Sat Apr 23 18:44:27 2016 +0200
tree	ea6c659cffa683e2117eefca414548ca704055ce
parent	cad102b861f74d56e3f6e710c466cf1a38a5db56 [diff]