xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone
026269
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
026269
From: Nick Wellnhofer <wellnhofer@aevum.de>
026269
Date: Mon, 30 Jul 2018 12:54:38 +0200
026269
Subject: [PATCH] Fix nullptr deref with XPath logic ops
026269
026269
If the XPath stack is corrupted, for example by a misbehaving extension
026269
function, the "and" and "or" XPath operators could dereference NULL
026269
pointers. Check that the XPath stack isn't empty and optimize the
026269
logic operators slightly.
026269
026269
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
026269
026269
Also see
026269
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
026269
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
026269
026269
This is CVE-2018-14404.
026269
026269
Thanks to Guy Inbar for the report.
026269
---
026269
 xpath.c | 10 ++++------
026269
 1 file changed, 4 insertions(+), 6 deletions(-)
026269
026269
diff --git a/xpath.c b/xpath.c
026269
index 3fae0bf4..5e3bb9ff 100644
026269
--- a/xpath.c
026269
+++ b/xpath.c
026269
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
026269
 		return(0);
026269
 	    }
026269
             xmlXPathBooleanFunction(ctxt, 1);
026269
-            arg1 = valuePop(ctxt);
026269
-            arg1->boolval &= arg2->boolval;
026269
-            valuePush(ctxt, arg1);
026269
+            if (ctxt->value != NULL)
026269
+                ctxt->value->boolval &= arg2->boolval;
026269
 	    xmlXPathReleaseObject(ctxt->context, arg2);
026269
             return (total);
026269
         case XPATH_OP_OR:
026269
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
026269
 		return(0);
026269
 	    }
026269
             xmlXPathBooleanFunction(ctxt, 1);
026269
-            arg1 = valuePop(ctxt);
026269
-            arg1->boolval |= arg2->boolval;
026269
-            valuePush(ctxt, arg1);
026269
+            if (ctxt->value != NULL)
026269
+                ctxt->value->boolval |= arg2->boolval;
026269
 	    xmlXPathReleaseObject(ctxt->context, arg2);
026269
             return (total);
026269
         case XPATH_OP_EQUAL:
026269
-- 
026269
2.22.0
026269