Added
Link Here
|
1 |
From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001 |
2 |
From: Nick Wellnhofer <wellnhofer@aevum.de> |
3 |
Date: Wed, 26 Aug 2020 00:34:38 +0200 |
4 |
Subject: [PATCH] Don't set maxDepth in XPath contexts |
5 |
|
6 |
The maximum recursion depth is hardcoded in libxml2 now. |
7 |
--- |
8 |
libxslt/functions.c | 2 +- |
9 |
tests/fuzz/fuzz.c | 11 ++--------- |
10 |
2 files changed, 3 insertions(+), 10 deletions(-) |
11 |
|
12 |
diff --git a/libxslt/functions.c b/libxslt/functions.c |
13 |
index 975ea790..7887dda7 100644 |
14 |
--- libxslt/functions.c |
15 |
+++ libxslt/functions.c |
16 |
@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) |
17 |
defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) |
18 |
xptrctxt->opLimit = ctxt->context->opLimit; |
19 |
xptrctxt->opCount = ctxt->context->opCount; |
20 |
- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; |
21 |
+ xptrctxt->depth = ctxt->context->depth; |
22 |
|
23 |
resObj = xmlXPtrEval(fragment, xptrctxt); |
24 |
|
25 |
diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c |
26 |
index 75234ad6..780c2d41 100644 |
27 |
--- tests/fuzz/fuzz.c |
28 |
+++ tests/fuzz/fuzz.c |
29 |
@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, |
30 |
xpctxt = tctxt->xpathCtxt; |
31 |
|
32 |
/* Resource limits to avoid timeouts and call stack overflows */ |
33 |
- xpctxt->maxDepth = 500; |
34 |
xpctxt->opLimit = 500000; |
35 |
|
36 |
/* Test namespaces used in xpath.xml */ |
37 |
@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, |
38 |
return 0; |
39 |
} |
40 |
|
41 |
-static void |
42 |
-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { |
43 |
- ctxt->maxDepth = 200; |
44 |
- ctxt->opLimit = 100000; |
45 |
-} |
46 |
- |
47 |
xmlChar * |
48 |
xsltFuzzXslt(const char *data, size_t size) { |
49 |
xmlDocPtr xsltDoc; |
50 |
@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) { |
51 |
xmlFreeDoc(xsltDoc); |
52 |
return NULL; |
53 |
} |
54 |
- xsltSetXPathResourceLimits(sheet->xpathCtxt); |
55 |
+ sheet->xpathCtxt->opLimit = 100000; |
56 |
sheet->xpathCtxt->opCount = 0; |
57 |
if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) { |
58 |
xsltFreeStylesheet(sheet); |
59 |
@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) { |
60 |
xsltSetCtxtSecurityPrefs(sec, ctxt); |
61 |
ctxt->maxTemplateDepth = 100; |
62 |
ctxt->opLimit = 20000; |
63 |
- xsltSetXPathResourceLimits(ctxt->xpathCtxt); |
64 |
+ ctxt->xpathCtxt->opLimit = 100000; |
65 |
ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount; |
66 |
|
67 |
result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt); |
68 |
-- |
69 |
GitLab |
70 |
|