Fix OOB write in xmlXPathEmptyNodeSet

xmlXPathEmptyNodeSet would write a NULL pointer just beyond the end of the nodeTab array. This macro isn't used in libxml2, but in some of the math functions in libexslt where it can result in heap corruption and denial of service. Found by afl-fuzz and ASan.
jorgo512 · Apr 26, 2016 · 91ac664 · 91ac664
1 parent e289390
commit 91ac664
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/include/libxml/xpathInternals.h b/include/libxml/xpathInternals.h
@@ -229,7 +229,7 @@ XMLPUBFUN void * XMLCALL
  * Empties a node-set.
  */
 #define xmlXPathEmptyNodeSet(ns)					\
-    { while ((ns)->nodeNr > 0) (ns)->nodeTab[(ns)->nodeNr--] = NULL; }
+    { while ((ns)->nodeNr > 0) (ns)->nodeTab[--(ns)->nodeNr] = NULL; }
 
 /**
  * CHECK_ERROR: