In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
{ "vanir_signatures": [ { "source": "https://gitlab.gnome.org/GNOME/libxslt@2232473733b7313d67de8836ea3b29eec6e8e285", "digest": { "line_hashes": [ "266245419573562079238130491404901662962", "57902627410114842905830600954340140091", "279651622861576520925880697882883872608", "258310434323730145773797470629119220610" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "id": "CVE-2019-18197-029095e0", "target": { "file": "libxslt/transform.c" }, "signature_version": "v1" }, { "source": "https://gitlab.gnome.org/GNOME/libxslt@2232473733b7313d67de8836ea3b29eec6e8e285", "digest": { "function_hash": "178302094766719713342549592140395825202", "length": 3308.0 }, "deprecated": false, "signature_type": "Function", "id": "CVE-2019-18197-7b5ccd3b", "target": { "function": "xsltCopyText", "file": "libxslt/transform.c" }, "signature_version": "v1" } ] }