summaryrefslogtreecommitdiffstats
path: root/external/redland/raptor/0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
blob: 1fb279df3e4df9d1ebc33e917da6f34a50b97b35 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
From a549457461874157c8c8e8e8a6e0eec06da4fbd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 24 Nov 2020 10:30:20 +0000
Subject: [PATCH] CVE-2020-25713 raptor2: malformed input file can lead to a
 segfault

due to an out of bounds array access in
raptor_xml_writer_start_element_common

See:
https://bugs.mageia.org/show_bug.cgi?id=27605
https://www.openwall.com/lists/oss-security/2020/11/13/1
https://gerrit.libreoffice.org/c/core/+/106249
---
 src/raptor_xml_writer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
index 56993dc3..4426d38c 100644
--- a/src/raptor_xml_writer.c
+++ b/src/raptor_xml_writer.c
@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
           
           /* check it wasn't an earlier declaration too */
           for(j = 0; j < nspace_declarations_count; j++)
-            if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
+            if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
               declare_me = 0;
               break;
             }
-- 
2.28.0