libxml2: Necessary changes before fixing CVE-2016-5131
xpath: - Check for errors after evaluating first operand. - Add sanity check for empty stack. - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes (From OE-Core rev: 96ef568f75dded56a2123b63dcc8b443f796afe0) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
333890953d
commit
c7f9007132
|
@ -0,0 +1,67 @@
|
|||
libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
|
||||
|
||||
xpath:
|
||||
- Check for errors after evaluating first operand.
|
||||
- Add sanity check for empty stack.
|
||||
- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
|
||||
|
||||
Upstream-Status: Backported
|
||||
- [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
|
||||
- [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
|
||||
CVE: necessary changes for fixing CVE-2016-5131
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
||||
|
||||
diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
|
||||
new file mode 100644
|
||||
index 0000000..d589882
|
||||
--- /dev/null
|
||||
+++ b/result/XPath/xptr/viderror
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+========================
|
||||
+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
|
||||
+Object is empty (NULL)
|
||||
diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
|
||||
new file mode 100644
|
||||
index 0000000..da8c53b
|
||||
--- /dev/null
|
||||
+++ b/test/XPath/xptr/viderror
|
||||
@@ -0,0 +1 @@
|
||||
+xpointer(non-existing-fn()/range-to(id('chapter2')))
|
||||
diff --git a/xpath.c b/xpath.c
|
||||
index 113bce6..d992841 100644
|
||||
--- a/xpath.c
|
||||
+++ b/xpath.c
|
||||
@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
|
||||
* compute depth to root
|
||||
*/
|
||||
for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
|
||||
- if (cur == node1)
|
||||
+ if (cur->parent == node1)
|
||||
return(1);
|
||||
depth2++;
|
||||
}
|
||||
root = cur;
|
||||
for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
|
||||
- if (cur == node2)
|
||||
+ if (cur->parent == node2)
|
||||
return(-1);
|
||||
depth1++;
|
||||
}
|
||||
@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
||||
xmlNodeSetPtr oldset;
|
||||
int i, j;
|
||||
|
||||
- if (op->ch1 != -1)
|
||||
+ if (op->ch1 != -1) {
|
||||
total +=
|
||||
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
|
||||
+ CHECK_ERROR0;
|
||||
+ }
|
||||
+ if (ctxt->value == NULL) {
|
||||
+ XP_ERROR0(XPATH_INVALID_OPERAND);
|
||||
+ }
|
||||
if (op->ch2 == -1)
|
||||
return (total);
|
||||
|
|
@ -19,6 +19,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
|
|||
file://run-ptest \
|
||||
file://python-sitepackages-dir.patch \
|
||||
file://libxml-m4-use-pkgconfig.patch \
|
||||
file://libxml2-fix_node_comparison.patch \
|
||||
file://libxml2-CVE-2016-5131.patch \
|
||||
"
|
||||
|
||||
|
|
Loading…
Reference in New Issue