rpms / libxml2

Clone
Source Code
GIT

Blame SOURCES/libxml2-2.9.1-CVE-2017-15412.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   libxml2-2.9.1-CVE-2017-15412.patch
Blob History Raw
83ebca 
From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
83ebca 
From: Nick Wellnhofer <wellnhofer@aevum.de>
83ebca 
Date: Thu, 1 Jun 2017 23:12:19 +0200
83ebca 
Subject: [PATCH] Fix XPath stack frame logic
83ebca
83ebca 
Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
83ebca 
xmlXPathCompOpEvalPositionalPredicate to make sure that the context
83ebca 
object on the stack is actually protected. Otherwise, memory corruption
83ebca 
can occur when calling sloppily coded XPath extension functions.
83ebca
83ebca 
Fixes bug 783160.
83ebca 
---
83ebca 
 xpath.c | 4 ++--
83ebca 
 1 file changed, 2 insertions(+), 2 deletions(-)
83ebca
83ebca 
diff --git a/xpath.c b/xpath.c
83ebca 
index 94815075..b816bd36 100644
83ebca 
--- a/xpath.c
83ebca 
+++ b/xpath.c
83ebca 
@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
83ebca 
 		}
83ebca 
 	    }
83ebca
83ebca 
-            frame = xmlXPathSetFrame(ctxt);
83ebca 
 	    valuePush(ctxt, contextObj);
83ebca 
+            frame = xmlXPathSetFrame(ctxt);
83ebca 
 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
83ebca 
-            tmp = valuePop(ctxt);
83ebca 
             xmlXPathPopFrame(ctxt, frame);
83ebca 
+            tmp = valuePop(ctxt);
83ebca
83ebca 
 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
83ebca 
                 while (tmp != contextObj) {
83ebca 
--
83ebca 
2.22.0
83ebca

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation