| libxml2-2.9.4: Fix CVE-2017-5969 |
| |
| [No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422 |
| |
| valid: Fix NULL pointer deref in xmlDumpElementContent |
| |
| Can only be triggered in recovery mode. |
| |
| Fixes bug 758422 |
| |
| Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882] |
| CVE: CVE-2017-5969 |
| Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| |
| diff --git a/valid.c b/valid.c |
| index 19f84b8..0a8e58a 100644 |
| --- a/valid.c |
| +++ b/valid.c |
| @@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) |
| xmlBufferWriteCHAR(buf, content->name); |
| break; |
| case XML_ELEMENT_CONTENT_SEQ: |
| - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) |
| + if ((content->c1 != NULL) && |
| + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) |
| xmlDumpElementContent(buf, content->c1, 1); |
| else |
| xmlDumpElementContent(buf, content->c1, 0); |
| xmlBufferWriteChar(buf, " , "); |
| - if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || |
| - ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && |
| - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) |
| + if ((content->c2 != NULL) && |
| + ((content->c2->type == XML_ELEMENT_CONTENT_OR) || |
| + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && |
| + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) |
| xmlDumpElementContent(buf, content->c2, 1); |
| else |
| xmlDumpElementContent(buf, content->c2, 0); |
| break; |
| case XML_ELEMENT_CONTENT_OR: |
| - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) |
| + if ((content->c1 != NULL) && |
| + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) |
| xmlDumpElementContent(buf, content->c1, 1); |
| else |
| xmlDumpElementContent(buf, content->c1, 0); |
| xmlBufferWriteChar(buf, " | "); |
| - if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || |
| - ((content->c2->type == XML_ELEMENT_CONTENT_OR) && |
| - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) |
| + if ((content->c2 != NULL) && |
| + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || |
| + ((content->c2->type == XML_ELEMENT_CONTENT_OR) && |
| + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) |
| xmlDumpElementContent(buf, content->c2, 1); |
| else |
| xmlDumpElementContent(buf, content->c2, 0); |