import-layers/yocto-poky/meta/recipes-core/libxml/libxml2/libxml2-fix_node_comparison.patch - openbmc/openbmc - Gitiles

 libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer

 xpath:
  - Check for errors after evaluating first operand.
  - Add sanity check for empty stack.
  - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes

 Upstream-Status: Backport
  - [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
  - [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
 CVE: CVE-2016-5131
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
 Signed-off-by: Pascal Bach <pascal.bach@siemens.com>

 diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
 new file mode 100644
 index 0000000..d589882
 --- /dev/null
 +++ b/result/XPath/xptr/viderror
 @@ -0,0 +1,4 @@
 +
 +========================
 +Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
 +Object is empty (NULL)
 diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
 new file mode 100644
 index 0000000..da8c53b
 --- /dev/null
 +++ b/test/XPath/xptr/viderror
 @@ -0,0 +1 @@
 +xpointer(non-existing-fn()/range-to(id('chapter2')))
 diff --git a/xpath.c b/xpath.c
 index 113bce6..d992841 100644
 --- a/xpath.c
 +++ b/xpath.c
 @@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
       * compute depth to root
       */
      for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
 -	if (cur == node1)
 +	if (cur->parent == node1)
  	    return(1);
  	depth2++;
      }
      root = cur;
      for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
 -	if (cur == node2)
 +	if (cur->parent == node2)
  	    return(-1);
  	depth1++;
      }
 @@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
                  xmlNodeSetPtr oldset;
                  int i, j;

 -                if (op->ch1 != -1)
 +                if (op->ch1 != -1) {
                      total +=
                          xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
 +                    CHECK_ERROR0;
 +                }
 +                if (ctxt->value == NULL) {
 +                    XP_ERROR0(XPATH_INVALID_OPERAND);
 +                }
                  if (op->ch2 == -1)
                      return (total);
	libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer

	xpath:
	- Check for errors after evaluating first operand.
	- Add sanity check for empty stack.
	- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes

	Upstream-Status: Backport
	- [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
	- [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
	CVE: CVE-2016-5131
	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
	Signed-off-by: Pascal Bach <pascal.bach@siemens.com>

	diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
	new file mode 100644
	index 0000000..d589882
	--- /dev/null
	+++ b/result/XPath/xptr/viderror
	@@ -0,0 +1,4 @@
	+
	+========================
	+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
	+Object is empty (NULL)
	diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
	new file mode 100644
	index 0000000..da8c53b
	--- /dev/null
	+++ b/test/XPath/xptr/viderror
	@@ -0,0 +1 @@
	+xpointer(non-existing-fn()/range-to(id('chapter2')))
	diff --git a/xpath.c b/xpath.c
	index 113bce6..d992841 100644
	--- a/xpath.c
	+++ b/xpath.c
	@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
	* compute depth to root
	*/
	for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
	- if (cur == node1)
	+ if (cur->parent == node1)
	return(1);
	depth2++;
	}
	root = cur;
	for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
	- if (cur == node2)
	+ if (cur->parent == node2)
	return(-1);
	depth1++;
	}
	@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
	xmlNodeSetPtr oldset;
	int i, j;

	- if (op->ch1 != -1)
	+ if (op->ch1 != -1) {
	total +=
	xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
	+ CHECK_ERROR0;
	+ }
	+ if (ctxt->value == NULL) {
	+ XP_ERROR0(XPATH_INVALID_OPERAND);
	+ }
	if (op->ch2 == -1)
	return (total);