Package: libxslt / 1.1.32-2.2~deb10u1

0009-Fix-dangling-pointer-in-xsltCopyText.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 17 Aug 2019 16:51:53 +0200
Subject: Fix dangling pointer in xsltCopyText
Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197
Bug-Debian: https://bugs.debian.org/942646
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914

xsltCopyText didn't reset ctxt->lasttext in some cases which could
lead to various memory errors in relation with CDATA sections in input
documents.

Found by OSS-Fuzz.
---
 libxslt/transform.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libxslt/transform.c b/libxslt/transform.c
index 95ebd0732f95..d7ab0b6677cc 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
 		return NULL;
 	}
+
+	ctxt->lasttext = NULL;
     } else {
         /*
 	 * normal processing. keep counters to extend the text node
-- 
2.20.1