Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame^] | 1 | From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Wellnhofer <wellnhofer@aevum.de> |
| 3 | Date: Tue, 28 Jun 2016 14:22:23 +0200 |
| 4 | Subject: [PATCH] Fix XPointer paths beginning with range-to |
| 5 | |
| 6 | The old code would invoke the broken xmlXPtrRangeToFunction. range-to |
| 7 | isn't really a function but a special kind of location step. Remove |
| 8 | this function and always handle range-to in the XPath code. |
| 9 | |
| 10 | The old xmlXPtrRangeToFunction could also be abused to trigger a |
| 11 | use-after-free error with the potential for remote code execution. |
| 12 | |
| 13 | Found with afl-fuzz. |
| 14 | |
| 15 | Fixes CVE-2016-5131. |
| 16 | |
| 17 | CVE: CVE-2016-5131 |
| 18 | Upstream-Status: Backport |
| 19 | https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e |
| 20 | |
| 21 | Signed-off-by: Yi Zhao <yi.zhao@windirver.com> |
| 22 | --- |
| 23 | result/XPath/xptr/vidbase | 13 ++++++++ |
| 24 | test/XPath/xptr/vidbase | 1 + |
| 25 | xpath.c | 7 ++++- |
| 26 | xpointer.c | 76 ++++------------------------------------------- |
| 27 | 4 files changed, 26 insertions(+), 71 deletions(-) |
| 28 | |
| 29 | diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase |
| 30 | index 8b9e92d..f19193e 100644 |
| 31 | --- a/result/XPath/xptr/vidbase |
| 32 | +++ b/result/XPath/xptr/vidbase |
| 33 | @@ -17,3 +17,16 @@ Object is a Location Set: |
| 34 | To node |
| 35 | ELEMENT p |
| 36 | |
| 37 | + |
| 38 | +======================== |
| 39 | +Expression: xpointer(range-to(id('chapter2'))) |
| 40 | +Object is a Location Set: |
| 41 | +1 : Object is a range : |
| 42 | + From node |
| 43 | + / |
| 44 | + To node |
| 45 | + ELEMENT chapter |
| 46 | + ATTRIBUTE id |
| 47 | + TEXT |
| 48 | + content=chapter2 |
| 49 | + |
| 50 | diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase |
| 51 | index b146383..884b106 100644 |
| 52 | --- a/test/XPath/xptr/vidbase |
| 53 | +++ b/test/XPath/xptr/vidbase |
| 54 | @@ -1,2 +1,3 @@ |
| 55 | xpointer(id('chapter1')/p) |
| 56 | xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) |
| 57 | +xpointer(range-to(id('chapter2'))) |
| 58 | diff --git a/xpath.c b/xpath.c |
| 59 | index d992841..5a01b1b 100644 |
| 60 | --- a/xpath.c |
| 61 | +++ b/xpath.c |
| 62 | @@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { |
| 63 | lc = 1; |
| 64 | break; |
| 65 | } else if ((NXT(len) == '(')) { |
| 66 | - /* Note Type or Function */ |
| 67 | + /* Node Type or Function */ |
| 68 | if (xmlXPathIsNodeType(name)) { |
| 69 | #ifdef DEBUG_STEP |
| 70 | xmlGenericError(xmlGenericErrorContext, |
| 71 | "PathExpr: Type search\n"); |
| 72 | #endif |
| 73 | lc = 1; |
| 74 | +#ifdef LIBXML_XPTR_ENABLED |
| 75 | + } else if (ctxt->xptr && |
| 76 | + xmlStrEqual(name, BAD_CAST "range-to")) { |
| 77 | + lc = 1; |
| 78 | +#endif |
| 79 | } else { |
| 80 | #ifdef DEBUG_STEP |
| 81 | xmlGenericError(xmlGenericErrorContext, |
| 82 | diff --git a/xpointer.c b/xpointer.c |
| 83 | index 676c510..d74174a 100644 |
| 84 | --- a/xpointer.c |
| 85 | +++ b/xpointer.c |
| 86 | @@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { |
| 87 | ret->here = here; |
| 88 | ret->origin = origin; |
| 89 | |
| 90 | - xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", |
| 91 | - xmlXPtrRangeToFunction); |
| 92 | xmlXPathRegisterFunc(ret, (xmlChar *)"range", |
| 93 | xmlXPtrRangeFunction); |
| 94 | xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", |
| 95 | @@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { |
| 96 | * @nargs: the number of args |
| 97 | * |
| 98 | * Implement the range-to() XPointer function |
| 99 | + * |
| 100 | + * Obsolete. range-to is not a real function but a special type of location |
| 101 | + * step which is handled in xpath.c. |
| 102 | */ |
| 103 | void |
| 104 | -xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { |
| 105 | - xmlXPathObjectPtr range; |
| 106 | - const xmlChar *cur; |
| 107 | - xmlXPathObjectPtr res, obj; |
| 108 | - xmlXPathObjectPtr tmp; |
| 109 | - xmlLocationSetPtr newset = NULL; |
| 110 | - xmlNodeSetPtr oldset; |
| 111 | - int i; |
| 112 | - |
| 113 | - if (ctxt == NULL) return; |
| 114 | - CHECK_ARITY(1); |
| 115 | - /* |
| 116 | - * Save the expression pointer since we will have to evaluate |
| 117 | - * it multiple times. Initialize the new set. |
| 118 | - */ |
| 119 | - CHECK_TYPE(XPATH_NODESET); |
| 120 | - obj = valuePop(ctxt); |
| 121 | - oldset = obj->nodesetval; |
| 122 | - ctxt->context->node = NULL; |
| 123 | - |
| 124 | - cur = ctxt->cur; |
| 125 | - newset = xmlXPtrLocationSetCreate(NULL); |
| 126 | - |
| 127 | - for (i = 0; i < oldset->nodeNr; i++) { |
| 128 | - ctxt->cur = cur; |
| 129 | - |
| 130 | - /* |
| 131 | - * Run the evaluation with a node list made of a single item |
| 132 | - * in the nodeset. |
| 133 | - */ |
| 134 | - ctxt->context->node = oldset->nodeTab[i]; |
| 135 | - tmp = xmlXPathNewNodeSet(ctxt->context->node); |
| 136 | - valuePush(ctxt, tmp); |
| 137 | - |
| 138 | - xmlXPathEvalExpr(ctxt); |
| 139 | - CHECK_ERROR; |
| 140 | - |
| 141 | - /* |
| 142 | - * The result of the evaluation need to be tested to |
| 143 | - * decided whether the filter succeeded or not |
| 144 | - */ |
| 145 | - res = valuePop(ctxt); |
| 146 | - range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); |
| 147 | - if (range != NULL) { |
| 148 | - xmlXPtrLocationSetAdd(newset, range); |
| 149 | - } |
| 150 | - |
| 151 | - /* |
| 152 | - * Cleanup |
| 153 | - */ |
| 154 | - if (res != NULL) |
| 155 | - xmlXPathFreeObject(res); |
| 156 | - if (ctxt->value == tmp) { |
| 157 | - res = valuePop(ctxt); |
| 158 | - xmlXPathFreeObject(res); |
| 159 | - } |
| 160 | - |
| 161 | - ctxt->context->node = NULL; |
| 162 | - } |
| 163 | - |
| 164 | - /* |
| 165 | - * The result is used as the new evaluation set. |
| 166 | - */ |
| 167 | - xmlXPathFreeObject(obj); |
| 168 | - ctxt->context->node = NULL; |
| 169 | - ctxt->context->contextSize = -1; |
| 170 | - ctxt->context->proximityPosition = -1; |
| 171 | - valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); |
| 172 | +xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, |
| 173 | + int nargs ATTRIBUTE_UNUSED) { |
| 174 | + XP_ERROR(XPATH_EXPR_ERROR); |
| 175 | } |
| 176 | |
| 177 | /** |
| 178 | -- |
| 179 | 2.7.4 |
| 180 | |