xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-2.9.7-CVE-2021-3537.patch

bc5a00
From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
bc5a00
From: Nick Wellnhofer <wellnhofer@aevum.de>
bc5a00
Date: Sat, 1 May 2021 16:53:33 +0200
bc5a00
Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
bc5a00
bc5a00
Check return value of recursive calls to
bc5a00
xmlParseElementChildrenContentDeclPriv and return immediately in case
bc5a00
of errors. Otherwise, struct xmlElementContent could contain unexpected
bc5a00
null pointers, leading to a null deref when post-validating documents
bc5a00
which aren't well-formed and parsed in recovery mode.
bc5a00
bc5a00
Fixes #243.
bc5a00
---
bc5a00
 parser.c | 7 +++++++
bc5a00
 1 file changed, 7 insertions(+)
bc5a00
bc5a00
diff --git a/parser.c b/parser.c
bc5a00
index b42e6043..73c27edd 100644
bc5a00
--- a/parser.c
bc5a00
+++ b/parser.c
bc5a00
@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
bc5a00
 	SKIP_BLANKS;
bc5a00
         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
bc5a00
                                                            depth + 1);
bc5a00
+        if (cur == NULL)
bc5a00
+            return(NULL);
bc5a00
 	SKIP_BLANKS;
bc5a00
 	GROW;
bc5a00
     } else {
bc5a00
@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
bc5a00
 	    SKIP_BLANKS;
bc5a00
 	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
bc5a00
                                                           depth + 1);
bc5a00
+            if (last == NULL) {
bc5a00
+		if (ret != NULL)
bc5a00
+		    xmlFreeDocElementContent(ctxt->myDoc, ret);
bc5a00
+		return(NULL);
bc5a00
+            }
bc5a00
 	    SKIP_BLANKS;
bc5a00
 	} else {
bc5a00
 	    elem = xmlParseName(ctxt);
bc5a00
-- 
bc5a00
GitLab
bc5a00