Blame SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
|
 |
8a784f |
From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
|
|
|
8a784f |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
8a784f |
Date: Thu, 1 Jun 2017 23:12:19 +0200
|
|
|
8a784f |
Subject: [PATCH] Fix XPath stack frame logic
|
|
|
8a784f |
|
|
|
8a784f |
Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
|
|
|
8a784f |
xmlXPathCompOpEvalPositionalPredicate to make sure that the context
|
|
|
8a784f |
object on the stack is actually protected. Otherwise, memory corruption
|
|
|
8a784f |
can occur when calling sloppily coded XPath extension functions.
|
|
|
8a784f |
|
|
|
8a784f |
Fixes bug 783160.
|
|
|
8a784f |
---
|
|
|
8a784f |
xpath.c | 4 ++--
|
|
|
8a784f |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
8a784f |
|
|
|
8a784f |
diff --git a/xpath.c b/xpath.c
|
|
|
8a784f |
index 94815075..b816bd36 100644
|
|
|
8a784f |
--- a/xpath.c
|
|
|
8a784f |
+++ b/xpath.c
|
|
|
8a784f |
@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
|
|
|
8a784f |
}
|
|
|
8a784f |
}
|
|
|
8a784f |
|
|
|
8a784f |
- frame = xmlXPathSetFrame(ctxt);
|
|
|
8a784f |
valuePush(ctxt, contextObj);
|
|
|
8a784f |
+ frame = xmlXPathSetFrame(ctxt);
|
|
|
8a784f |
res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
|
|
|
8a784f |
- tmp = valuePop(ctxt);
|
|
|
8a784f |
xmlXPathPopFrame(ctxt, frame);
|
|
|
8a784f |
+ tmp = valuePop(ctxt);
|
|
|
8a784f |
|
|
|
8a784f |
if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
|
|
|
8a784f |
while (tmp != contextObj) {
|
|
|
8a784f |
--
|
|
|
8a784f |
2.22.0
|
|
|
8a784f |
|