CVE
CVE-2017-16932
| CVE ID |
CVE-2017-16932
|
|---|---|
| CVSS Score |
7.5
|
| Operating System | |
| Affected Versions | |
| Patched Versions | |
| Patch Date |
|
| Last Updated Date | |
| Vector String |
Additional Information
OL CVE Issue Summary:
xmlSnprintfElementContent() in valid.c is supposed to recursively dump the element content definition into a char buffer buf of size size. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then
(i) the content->prefix is appended to buf (if it actually fits)
whereupon:
(ii)content->name is written to the buffer
However, the check is whether the content->name actually fits also uses len rather than the updated buffer length strlen(buf). This allows writing about "size" many bytes beyond the allocated memory.