Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 36acd3e888044dea2ac0b2946f15616f968388c9 / . / import-layers / yocto-poky / meta / recipes-core / libxml / libxml2 / libxml2-CVE-2017-5969.patch
blob: 571b05c087f686b17c08bb46ecb7f4e0bb58778a [file] [log] [blame]
Brad Bishop6e60e8b2018-02-01 10:27:11 -0500[diff] [blame]1libxml2-2.9.4: Fix CVE-2017-5969
2
3[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
4
5valid: Fix NULL pointer deref in xmlDumpElementContent
6
7Can only be triggered in recovery mode.
8
9Fixes bug 758422
10
11Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
12CVE: CVE-2017-5969
13Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
14
15diff --git a/valid.c b/valid.c
16index 19f84b8..0a8e58a 100644
17--- a/valid.c
18+++ b/valid.c
19@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
20 xmlBufferWriteCHAR(buf, content->name);
21 break;
22 case XML_ELEMENT_CONTENT_SEQ:
23- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
24- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
25+ if ((content->c1 != NULL) &&
26+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
27+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
28 xmlDumpElementContent(buf, content->c1, 1);
29 else
30 xmlDumpElementContent(buf, content->c1, 0);
31 xmlBufferWriteChar(buf, " , ");
32- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
33- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
34- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
35+ if ((content->c2 != NULL) &&
36+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
37+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
38+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
39 xmlDumpElementContent(buf, content->c2, 1);
40 else
41 xmlDumpElementContent(buf, content->c2, 0);
42 break;
43 case XML_ELEMENT_CONTENT_OR:
44- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
45- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
46+ if ((content->c1 != NULL) &&
47+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
48+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
49 xmlDumpElementContent(buf, content->c1, 1);
50 else
51 xmlDumpElementContent(buf, content->c1, 0);
52 xmlBufferWriteChar(buf, " | ");
53- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
54- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
55- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
56+ if ((content->c2 != NULL) &&
57+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
58+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
59+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
60 xmlDumpElementContent(buf, content->c2, 1);
61 else
62 xmlDumpElementContent(buf, content->c2, 0);