diff options
author | Joe Slater <joe.slater@windriver.com> | 2019-10-22 18:59:51 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-31 16:07:11 +0000 |
commit | 1263db2759b88e423bb717cc0cfc256c7962871b (patch) | |
tree | 4b106f55ded0629b05a21a8e1aeff32f9d5e9f06 /meta/recipes-support/libxslt/files/CVE-2019-18197.patch | |
parent | 844e7aa217f5ecf46766a07d46f9d7f083668e8e (diff) | |
download | openembedded-core-contrib-1263db2759b88e423bb717cc0cfc256c7962871b.tar.gz |
libxslt: fix CVE-2019-18197
Use patch from upstream after 1.1.33 release.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-support/libxslt/files/CVE-2019-18197.patch')
-rw-r--r-- | meta/recipes-support/libxslt/files/CVE-2019-18197.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch new file mode 100644 index 0000000000..5f2b620396 --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch @@ -0,0 +1,33 @@ +libxslt: fix CVE-2019-18197 + +Added after 1.1.33 release. + +CVE: CVE-2019-18197 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git] +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +commit 2232473733b7313d67de8836ea3b29eec6e8e285 +Author: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat Aug 17 16:51:53 2019 +0200 + + Fix dangling pointer in xsltCopyText + + xsltCopyText didn't reset ctxt->lasttext in some cases which could + lead to various memory errors in relation with CDATA sections in input + documents. + + Found by OSS-Fuzz. + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 95ebd07..d7ab0b6 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, + if ((copy->content = xmlStrdup(cur->content)) == NULL) + return NULL; + } ++ ++ ctxt->lasttext = NULL; + } else { + /* + * normal processing. keep counters to extend the text node |