From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion

An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Found with afl-fuzz and ASan.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Patch status: upstream commit eb1030de311

 libxslt/numbers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b46ca26..e78c46b6357b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
     }
 
     /* We have finished the integer part, now work on fraction */
-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+    if ( (*the_format != 0) &&
+         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
         format_info.add_decimal = TRUE;
 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
     }
-- 
2.10.2