diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2018-05-16 12:59:22 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-05-22 13:09:04 +0100 |
commit | a997bcd3f985b65141f9b7a497581da2fd7afc10 (patch) | |
tree | 9114a0106b4e513920f9da5a794d3e0f6cd68861 | |
parent | a36c1e514d43854b22da75a2ec4c8069a6eaab27 (diff) | |
download | openembedded-core-contrib-a997bcd3f985b65141f9b7a497581da2fd7afc10.tar.gz |
libxslt: Fix handling of RVTs returned from nested EXSLT functions
Set the context variable to NULL when evaluating EXSLT functions.
Fixes potential use-after-free errors or memory leaks.
Fixes bug 792580
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r-- | meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch | 80 | ||||
-rw-r--r-- | meta/recipes-support/libxslt/libxslt_1.1.32.bb | 5 |
2 files changed, 84 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch b/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch new file mode 100644 index 0000000000..424c976d9b --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch @@ -0,0 +1,80 @@ +libxslt-1.1.32: Fix handling of RVTs returned from nested EXSLT functions + +[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=792580 + +Set the context variable to NULL when evaluating EXSLT functions. +Fixes potential use-after-free errors or memory leaks. + +Upstream-Status: Backport [https://git.gnome.org/browse/libxslt/commit/?id=8bd32f7753ac253a54279a0b6a88d15a57076bb0] +bug: 792580 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> + +diff --git a/libexslt/functions.c b/libexslt/functions.c +index dc794e3..8511cb0 100644 +--- a/libexslt/functions.c ++++ b/libexslt/functions.c +@@ -280,6 +280,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { + exsltFuncFunctionData *func; + xmlNodePtr paramNode, oldInsert, fake; + int oldBase; ++ void *oldCtxtVar; + xsltStackElemPtr params = NULL, param; + xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt); + int i, notSet; +@@ -418,11 +419,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { + fake = xmlNewDocNode(tctxt->output, NULL, + (const xmlChar *)"fake", NULL); + oldInsert = tctxt->insert; ++ oldCtxtVar = tctxt->contextVariable; + tctxt->insert = fake; ++ tctxt->contextVariable = NULL; + xsltApplyOneTemplate (tctxt, tctxt->node, + func->content, NULL, NULL); + xsltLocalVariablePop(tctxt, tctxt->varsBase, -2); + tctxt->insert = oldInsert; ++ tctxt->contextVariable = oldCtxtVar; + tctxt->varsBase = oldBase; /* restore original scope */ + if (params != NULL) + xsltFreeStackElemList(params); +diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml +new file mode 100644 +index 0000000..69d62f2 +--- /dev/null ++++ b/tests/docs/bug-209.xml +@@ -0,0 +1 @@ ++<doc/> +diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out +new file mode 100644 +index 0000000..e829790 +--- /dev/null ++++ b/tests/general/bug-209.out +@@ -0,0 +1,2 @@ ++<?xml version="1.0"?> ++<result/> +diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl +new file mode 100644 +index 0000000..fe69ac6 +--- /dev/null ++++ b/tests/general/bug-209.xsl +@@ -0,0 +1,21 @@ ++<xsl:stylesheet ++ version="1.0" ++ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" ++ xmlns:func="http://exslt.org/functions" ++ extension-element-prefixes="func"> ++ ++ <xsl:template match="/"> ++ <xsl:variable name="v" select="func:a()" /> ++ <xsl:copy-of select="$v"/> ++ </xsl:template> ++ ++ <func:function name="func:a"> ++ <func:result select="func:b()" /> ++ </func:function> ++ ++ <func:function name="func:b"> ++ <func:result> ++ <result/> ++ </func:result> ++ </func:function> ++</xsl:stylesheet> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb index 6a03f77699..f0fa5e723f 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb @@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458" SECTION = "libs" DEPENDS = "libxml2" -SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz" +SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ + file://fix-rvts-handling.patch \ + " + SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146" SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460" |