xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-CVE-2018-14404.patch

23d8a0
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
23d8a0
From: Nick Wellnhofer <wellnhofer@aevum.de>
23d8a0
Date: Mon, 30 Jul 2018 12:54:38 +0200
23d8a0
Subject: [PATCH] Fix nullptr deref with XPath logic ops
23d8a0
23d8a0
If the XPath stack is corrupted, for example by a misbehaving extension
23d8a0
function, the "and" and "or" XPath operators could dereference NULL
23d8a0
pointers. Check that the XPath stack isn't empty and optimize the
23d8a0
logic operators slightly.
23d8a0
23d8a0
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
23d8a0
23d8a0
Also see
23d8a0
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
23d8a0
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
23d8a0
23d8a0
This is CVE-2018-14404.
23d8a0
23d8a0
Thanks to Guy Inbar for the report.
23d8a0
---
23d8a0
 xpath.c | 10 ++++------
23d8a0
 1 file changed, 4 insertions(+), 6 deletions(-)
23d8a0
23d8a0
diff --git a/xpath.c b/xpath.c
23d8a0
index 3fae0bf4..5e3bb9ff 100644
23d8a0
--- a/xpath.c
23d8a0
+++ b/xpath.c
23d8a0
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
23d8a0
 		return(0);
23d8a0
 	    }
23d8a0
             xmlXPathBooleanFunction(ctxt, 1);
23d8a0
-            arg1 = valuePop(ctxt);
23d8a0
-            arg1->boolval &= arg2->boolval;
23d8a0
-            valuePush(ctxt, arg1);
23d8a0
+            if (ctxt->value != NULL)
23d8a0
+                ctxt->value->boolval &= arg2->boolval;
23d8a0
 	    xmlXPathReleaseObject(ctxt->context, arg2);
23d8a0
             return (total);
23d8a0
         case XPATH_OP_OR:
23d8a0
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
23d8a0
 		return(0);
23d8a0
 	    }
23d8a0
             xmlXPathBooleanFunction(ctxt, 1);
23d8a0
-            arg1 = valuePop(ctxt);
23d8a0
-            arg1->boolval |= arg2->boolval;
23d8a0
-            valuePush(ctxt, arg1);
23d8a0
+            if (ctxt->value != NULL)
23d8a0
+                ctxt->value->boolval |= arg2->boolval;
23d8a0
 	    xmlXPathReleaseObject(ctxt->context, arg2);
23d8a0
             return (total);
23d8a0
         case XPATH_OP_EQUAL:
23d8a0
-- 
23d8a0
2.22.0
23d8a0