Brad Bishop | 64c979e | 2019-11-04 13:55:29 -0500 | [diff] [blame^] | 1 | libxslt: fix CVE-2019-18197 |
| 2 | |
| 3 | Added after 1.1.33 release. |
| 4 | |
| 5 | CVE: CVE-2019-18197 |
| 6 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git] |
| 7 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| 8 | |
| 9 | commit 2232473733b7313d67de8836ea3b29eec6e8e285 |
| 10 | Author: Nick Wellnhofer <wellnhofer@aevum.de> |
| 11 | Date: Sat Aug 17 16:51:53 2019 +0200 |
| 12 | |
| 13 | Fix dangling pointer in xsltCopyText |
| 14 | |
| 15 | xsltCopyText didn't reset ctxt->lasttext in some cases which could |
| 16 | lead to various memory errors in relation with CDATA sections in input |
| 17 | documents. |
| 18 | |
| 19 | Found by OSS-Fuzz. |
| 20 | |
| 21 | diff --git a/libxslt/transform.c b/libxslt/transform.c |
| 22 | index 95ebd07..d7ab0b6 100644 |
| 23 | --- a/libxslt/transform.c |
| 24 | +++ b/libxslt/transform.c |
| 25 | @@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, |
| 26 | if ((copy->content = xmlStrdup(cur->content)) == NULL) |
| 27 | return NULL; |
| 28 | } |
| 29 | + |
| 30 | + ctxt->lasttext = NULL; |
| 31 | } else { |
| 32 | /* |
| 33 | * normal processing. keep counters to extend the text node |