blob: 5f2b620396f55907348630ac78c58c3c0fc87d35 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
libxslt: fix CVE-2019-18197
Added after 1.1.33 release.
CVE: CVE-2019-18197
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
Signed-off-by: Joe Slater <joe.slater@windriver.com>
commit 2232473733b7313d67de8836ea3b29eec6e8e285
Author: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat Aug 17 16:51:53 2019 +0200
Fix dangling pointer in xsltCopyText
xsltCopyText didn't reset ctxt->lasttext in some cases which could
lead to various memory errors in relation with CDATA sections in input
documents.
Found by OSS-Fuzz.
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 95ebd07..d7ab0b6 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
if ((copy->content = xmlStrdup(cur->content)) == NULL)
return NULL;
}
+
+ ctxt->lasttext = NULL;
} else {
/*
* normal processing. keep counters to extend the text node
|
