[libxml2] Fix the XPath arity check to also check the XPath stack limits
- From: Daniel Veillard <veillard src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix the XPath arity check to also check the XPath stack limits
- Date: Mon, 27 Aug 2012 08:23:29 +0000 (UTC)
commit 8880170e2187d2041c81418711250841d264af02
Author: Daniel Veillard <veillard redhat com>
Date: Mon Aug 27 16:20:05 2012 +0800
Fix the XPath arity check to also check the XPath stack limits
Example xmlXPathNormalizeFunction() would do CHECK_ARITY(1)
and the expect valuePop(ctxt); to return an object, except
now valuePop() looks at the XPath stack frames and fails returning
NULL, and we end up crashing dereferencing the object.
Real solution is to exten CHECK_ARITY() and recompile all
XPath functions using it.
include/libxml/xpathInternals.h | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
---
diff --git a/include/libxml/xpathInternals.h b/include/libxml/xpathInternals.h
index dcd5243..a1944ae 100644
--- a/include/libxml/xpathInternals.h
+++ b/include/libxml/xpathInternals.h
@@ -296,7 +296,9 @@ XMLPUBFUN void * XMLCALL
#define CHECK_ARITY(x) \
if (ctxt == NULL) return; \
if (nargs != (x)) \
- XP_ERROR(XPATH_INVALID_ARITY);
+ XP_ERROR(XPATH_INVALID_ARITY); \
+ if (ctxt->valueNr < ctxt->valueFrame + (x)) \
+ XP_ERROR(XPATH_STACK_ERROR);
/**
* CAST_TO_STRING:
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]