Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 1 | libxml2-2.9.4: Fix CVE-2017-5969 |
| 2 | |
| 3 | [No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422 |
| 4 | |
| 5 | valid: Fix NULL pointer deref in xmlDumpElementContent |
| 6 | |
| 7 | Can only be triggered in recovery mode. |
| 8 | |
| 9 | Fixes bug 758422 |
| 10 | |
| 11 | Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882] |
| 12 | CVE: CVE-2017-5969 |
| 13 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| 14 | |
| 15 | diff --git a/valid.c b/valid.c |
| 16 | index 19f84b8..0a8e58a 100644 |
| 17 | --- a/valid.c |
| 18 | +++ b/valid.c |
| 19 | @@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) |
| 20 | xmlBufferWriteCHAR(buf, content->name); |
| 21 | break; |
| 22 | case XML_ELEMENT_CONTENT_SEQ: |
| 23 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| 24 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) |
| 25 | + if ((content->c1 != NULL) && |
| 26 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| 27 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) |
| 28 | xmlDumpElementContent(buf, content->c1, 1); |
| 29 | else |
| 30 | xmlDumpElementContent(buf, content->c1, 0); |
| 31 | xmlBufferWriteChar(buf, " , "); |
| 32 | - if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || |
| 33 | - ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && |
| 34 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) |
| 35 | + if ((content->c2 != NULL) && |
| 36 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) || |
| 37 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && |
| 38 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) |
| 39 | xmlDumpElementContent(buf, content->c2, 1); |
| 40 | else |
| 41 | xmlDumpElementContent(buf, content->c2, 0); |
| 42 | break; |
| 43 | case XML_ELEMENT_CONTENT_OR: |
| 44 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| 45 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) |
| 46 | + if ((content->c1 != NULL) && |
| 47 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || |
| 48 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) |
| 49 | xmlDumpElementContent(buf, content->c1, 1); |
| 50 | else |
| 51 | xmlDumpElementContent(buf, content->c1, 0); |
| 52 | xmlBufferWriteChar(buf, " | "); |
| 53 | - if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || |
| 54 | - ((content->c2->type == XML_ELEMENT_CONTENT_OR) && |
| 55 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) |
| 56 | + if ((content->c2 != NULL) && |
| 57 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || |
| 58 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) && |
| 59 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) |
| 60 | xmlDumpElementContent(buf, content->c2, 1); |
| 61 | else |
| 62 | xmlDumpElementContent(buf, content->c2, 0); |