1From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Fri, 7 Apr 2023 11:49:27 +0200 4Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't 5 deterministic 6 7When hashing empty strings which aren't null-terminated, 8xmlDictComputeFastKey could produce inconsistent results. This could 9lead to various logic or memory errors, including double frees. 10 11For consistency the seed is also taken into account, but this shouldn't 12have an impact on security. 13 14Found by OSS-Fuzz. 15 16Fixes #510. 17 18Reference:https://github.com/GNOME/libxml2/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df 19Conflict:NA 20 21--- 22 dict.c | 3 ++- 23 1 file changed, 2 insertions(+), 1 deletion(-) 24 25diff --git a/dict.c b/dict.c 26index 90e4d81..e39e8a4 100644 27--- a/dict.c 28+++ b/dict.c 29@@ -451,7 +451,8 @@ static unsigned long 30 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { 31 unsigned long value = seed; 32 33- if (name == NULL) return(0); 34+ if ((name == NULL) || (namelen <= 0)) 35+ return(value); 36 value += *name; 37 value <<= 5; 38 if (namelen > 10) { 39-- 402.27.0 41 42