|
Lines 1-18
Link Here
|
| 1 |
--- libxslt/transform.c.orig 2017-10-30 07:49:55 UTC |
1 |
From ee31512213544a869418a06a819e9cb9a7346f65 Mon Sep 17 00:00:00 2001 |
|
|
2 |
From: Nick Wellnhofer <wellnhofer@aevum.de> |
| 3 |
Date: Sat, 17 Aug 2019 16:51:53 +0200 |
| 4 |
Subject: [PATCH] Fix dangling pointer in xsltCopyText |
| 5 |
|
| 6 |
xsltCopyText didn't reset ctxt->lasttext in some cases which could |
| 7 |
lead to various memory errors in relation with CDATA sections in input |
| 8 |
documents. |
| 9 |
|
| 10 |
Found by OSS-Fuzz. |
| 11 |
--- |
| 12 |
libxslt/transform.c | 2 ++ |
| 13 |
1 file changed, 2 insertions(+) |
| 14 |
|
| 15 |
diff --git a/libxslt/transform.c b/libxslt/transform.c |
| 16 |
index ed5afacb..477265c2 100644 |
| 17 |
--- libxslt/transform.c |
| 2 |
+++ libxslt/transform.c |
18 |
+++ libxslt/transform.c |
| 3 |
@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNode |
19 |
@@ -1090,6 +1090,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, |
| 4 |
*/ |
20 |
if ((copy->content = xmlStrdup(cur->content)) == NULL) |
| 5 |
if (ctxt->sec != NULL) { |
21 |
return NULL; |
| 6 |
ret = xsltCheckWrite(ctxt->sec, ctxt, filename); |
22 |
} |
| 7 |
- if (ret == 0) { |
23 |
+ |
| 8 |
- xsltTransformError(ctxt, NULL, inst, |
24 |
+ ctxt->lasttext = NULL; |
| 9 |
- "xsltDocumentElem: write rights for %s denied\n", |
25 |
} else { |
| 10 |
- filename); |
26 |
/* |
| 11 |
+ if (ret <= 0) { |
27 |
* normal processing. keep counters to extend the text node |
| 12 |
+ if (ret == 0) |
28 |
-- |
| 13 |
+ xsltTransformError(ctxt, NULL, inst, |
29 |
2.23.0 |
| 14 |
+ "xsltDocumentElem: write rights for %s denied\n", |
30 |
|
| 15 |
+ filename); |
|
|
| 16 |
xmlFree(URL); |
| 17 |
xmlFree(filename); |
| 18 |
return; |
| 19 |
- |
|
|