1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 17 Aug 2019 16:51:53 +0200
Subject: Fix dangling pointer in xsltCopyText
Origin: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18197
Bug-Debian: https://bugs.debian.org/942646
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
xsltCopyText didn't reset ctxt->lasttext in some cases which could
lead to various memory errors in relation with CDATA sections in input
documents.
Found by OSS-Fuzz.
---
libxslt/transform.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 95ebd0732f95..d7ab0b6677cc 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
if ((copy->content = xmlStrdup(cur->content)) == NULL)
return NULL;
}
+
+ ctxt->lasttext = NULL;
} else {
/*
* normal processing. keep counters to extend the text node
--
2.20.1
|