| libxslt: fix CVE-2019-18197 |
| |
| Added after 1.1.33 release. |
| |
| CVE: CVE-2019-18197 |
| Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git] |
| Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| |
| commit 2232473733b7313d67de8836ea3b29eec6e8e285 |
| Author: Nick Wellnhofer <wellnhofer@aevum.de> |
| Date: Sat Aug 17 16:51:53 2019 +0200 |
| |
| Fix dangling pointer in xsltCopyText |
| |
| xsltCopyText didn't reset ctxt->lasttext in some cases which could |
| lead to various memory errors in relation with CDATA sections in input |
| documents. |
| |
| Found by OSS-Fuzz. |
| |
| diff --git a/libxslt/transform.c b/libxslt/transform.c |
| index 95ebd07..d7ab0b6 100644 |
| --- a/libxslt/transform.c |
| +++ b/libxslt/transform.c |
| @@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, |
| if ((copy->content = xmlStrdup(cur->content)) == NULL) |
| return NULL; |
| } |
| + |
| + ctxt->lasttext = NULL; |
| } else { |
| /* |
| * normal processing. keep counters to extend the text node |