[libxml2] Fix NULL pointer deref in XPointer range-to
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix NULL pointer deref in XPointer range-to
- Date: Sat, 25 Jun 2016 12:28:59 +0000 (UTC)
commit d8083bf77955b7879c1290f0c0a24ab8cc70f7fb
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Sat Jun 25 12:35:50 2016 +0200
Fix NULL pointer deref in XPointer range-to
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.
Found with afl-fuzz.
result/XPath/xptr/viderror | 4 ++++
test/XPath/xptr/viderror | 1 +
xpath.c | 7 ++++++-
3 files changed, 11 insertions(+), 1 deletions(-)
---
diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
new file mode 100644
index 0000000..d589882
--- /dev/null
+++ b/result/XPath/xptr/viderror
@@ -0,0 +1,4 @@
+
+========================
+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
+Object is empty (NULL)
diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
new file mode 100644
index 0000000..da8c53b
--- /dev/null
+++ b/test/XPath/xptr/viderror
@@ -0,0 +1 @@
+xpointer(non-existing-fn()/range-to(id('chapter2')))
diff --git a/xpath.c b/xpath.c
index 113bce6..751665b 100644
--- a/xpath.c
+++ b/xpath.c
@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
xmlNodeSetPtr oldset;
int i, j;
- if (op->ch1 != -1)
+ if (op->ch1 != -1) {
total +=
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
+ CHECK_ERROR0;
+ }
+ if (ctxt->value == NULL) {
+ XP_ERROR0(XPATH_INVALID_OPERAND);
+ }
if (op->ch2 == -1)
return (total);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
