CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey For https://bugzilla.gnome.org/show_bug.cgi?id=756528 It was possible to hit a negative offset in the name indexing used to randomize the dictionary key generation Reported and fix provided by David Drysdale @ Google

commit: 6360a31a84efe69d155ed96306b9a931a40beab9 [log] [tgz]
author: David Drysdale <drysdale@google.com> Fri Nov 20 10:47:12 2015 +0800
committer: Daniel Veillard <veillard@redhat.com> Fri Nov 20 10:47:12 2015 +0800
tree: 2f78a1031ab8e14f2e01c1f3a9affad77bd142f8
parent: 53ac9c9649fa091377dfea9511f012171f08972d [diff]
diff --git a/dict.c b/dict.c
index 5f71d55..8c8f931 100644
--- a/dict.c
+++ b/dict.c

@@ -486,7 +486,10 @@
 	value += 30 * (*prefix);
 
     if (len > 10) {
-        value += name[len - (plen + 1 + 1)];
+        int offset = len - (plen + 1 + 1);
+	if (offset < 0)
+	    offset = len - (10 + 1);
+	value += name[offset];
         len = 10;
 	if (plen > 10)
 	    plen = 10;
commit	6360a31a84efe69d155ed96306b9a931a40beab9	[log] [tgz]
author	David Drysdale <drysdale@google.com>	Fri Nov 20 10:47:12 2015 +0800
committer	Daniel Veillard <veillard@redhat.com>	Fri Nov 20 10:47:12 2015 +0800
tree	2f78a1031ab8e14f2e01c1f3a9affad77bd142f8
parent	53ac9c9649fa091377dfea9511f012171f08972d [diff]