[Reproducible-commits] [libxslt] 01/02: Patch for three CVEs
Mattia Rizzolo
mattia at debian.org
Fri May 20 12:49:09 UTC 2016
This is an automated email from the git hooks/post-receive script.
mattia pushed a commit to annotated tag debian/1.1.26-14
in repository libxslt.
commit b3d77a3a37d0365d58e0645cc7fd13de37a9e5ca
Author: Aron Xu <aron at debian.org>
Date: Tue Oct 2 23:45:54 2012 +0800
Patch for three CVEs
* CVE-2012-2870
* CVE-2012-2871
* CVE-2012-2893
---
debian/patches/0005-cve-2012-2825.patch | 4 +-
debian/patches/0006-cve-2012-2870.patch | 859 +++++++++++++++++++++
...lt-template-processing-on-namespace-nodes.patch | 34 +
.../0008-Fix-a-dictionary-string-usage.patch | 104 +++
debian/patches/series | 3 +
5 files changed, 1001 insertions(+), 3 deletions(-)
diff --git a/debian/patches/0005-cve-2012-2825.patch b/debian/patches/0005-cve-2012-2825.patch
index 2b67304..33e7f13 100644
--- a/debian/patches/0005-cve-2012-2825.patch
+++ b/debian/patches/0005-cve-2012-2825.patch
@@ -1,8 +1,6 @@
From: Chris Evans <cevans at chromium.org>
Date: Thu, 5 Jul 2012 11:08:31 +0800
-Subject: cve-2012-2825
-
-[PATCH] Fix crash with unexpected DTD nodes in XSLT.
+Subject: Fix crash with unexpected DTD nodes in XSLT.
A fix for XSLT node checking.
---
diff --git a/debian/patches/0006-cve-2012-2870.patch b/debian/patches/0006-cve-2012-2870.patch
new file mode 100644
index 0000000..3571018
--- /dev/null
+++ b/debian/patches/0006-cve-2012-2870.patch
@@ -0,0 +1,859 @@
+From: Aron Xu <aron at debian.org>
+Date: Thu, 9 Aug 2012 15:31:07 +0800
+Subject: cve 2012 2870
+
+ * Daniel Veillard:
+ Cleanup of the pattern compilation code
+ Avoid potential crashes and memory leaks
+ * Chris Evans:
+ Avoid a heap use after free error
+ For https://code.google.com/p/chromium/issues/detail?id=140368
+ * Daniel Veillard:
+ Hardening of code checking node types in EXSLT
+ Hardening of code checking node types in various entry point
+---
+ libexslt/functions.c | 6 ++++--
+ libxslt/attributes.c | 5 +++--
+ libxslt/functions.c | 6 ++++--
+ libxslt/pattern.c | 53 ++++++++++++++++++++++++++++++++++++++++++++------
+ libxslt/preproc.c | 45 +++++++++++++++++++++---------------------
+ libxslt/templates.c | 15 +++++++++-----
+ libxslt/transform.c | 2 +-
+ libxslt/variables.c | 10 +++++-----
+ libxslt/xslt.c | 43 +++++++++++++++++++++++-----------------
+ libxslt/xsltutils.c | 27 +++++++++++++++++--------
+ 10 files changed, 141 insertions(+), 71 deletions(-)
+
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 13fd06e..4c68cea 100644
+--- a/libexslt/functions.c
++++ b/libexslt/functions.c
+@@ -459,10 +459,9 @@ exsltFuncFunctionComp (xsltStylesheetPtr style, xmlNodePtr inst) {
+ xmlHashTablePtr data;
+ exsltFuncFunctionData *func;
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+-
+ {
+ xmlChar *qname;
+
+@@ -546,6 +545,9 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+ xmlChar *sel;
+ exsltFuncResultPreComp *ret;
+
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
++ return (NULL);
++
+ /*
+ * "Validity" checking
+ */
+diff --git a/libxslt/attributes.c b/libxslt/attributes.c
+index ce47df7..11d558b 100644
+--- a/libxslt/attributes.c
++++ b/libxslt/attributes.c
+@@ -293,7 +293,7 @@ xsltParseStylesheetAttributeSet(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xmlNodePtr child;
+ xsltAttrElemPtr attrItems;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ value = xmlGetNsProp(cur, (const xmlChar *)"name", NULL);
+@@ -656,7 +656,8 @@ xsltAttributeInternal(xsltTransformContextPtr ctxt,
+ xmlNsPtr ns = NULL;
+ xmlAttrPtr attr;
+
+- if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL))
++ if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
++ (inst->type != XML_ELEMENT_NODE) )
+ return;
+
+ /*
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index de962f4..845633b 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -654,6 +654,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ xmlNodePtr cur = NULL;
++ xmlXPathObjectPtr obj = NULL;
+ long val;
+ xmlChar str[30];
+ xmlDocPtr doc;
+@@ -661,7 +662,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ if (nargs == 0) {
+ cur = ctxt->context->node;
+ } else if (nargs == 1) {
+- xmlXPathObjectPtr obj;
+ xmlNodeSetPtr nodelist;
+ int i, ret;
+
+@@ -684,7 +684,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ if (ret == -1)
+ cur = nodelist->nodeTab[i];
+ }
+- xmlXPathFreeObject(obj);
+ } else {
+ xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
+ "generate-id() : invalid number of args %d\n", nargs);
+@@ -707,6 +706,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+
+ }
+
++ if (obj)
++ xmlXPathFreeObject(obj);
++
+ val = (long)((char *)cur - (char *)doc);
+ if (val >= 0) {
+ sprintf((char *)str, "idp%ld", val);
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 4ce3e12..a13153a 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
+@@ -303,6 +303,10 @@ xsltCompMatchAdd(xsltParserContextPtr ctxt, xsltCompMatchPtr comp,
+ "xsltCompMatchAdd: memory re-allocation failure.\n");
+ if (ctxt->style != NULL)
+ ctxt->style->errors++;
++ if (value)
++ xmlFree(value);
++ if (value2)
++ xmlFree(value2);
+ return (-1);
+ }
+ comp->maxStep *= 2;
+@@ -1381,17 +1385,22 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ NEXT;
+ SKIP_BLANKS;
+ lit = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltCompileIdKeyPattern : ) expected\n");
++ xmlFree(lit);
+ ctxt->error = 1;
+ return;
+ }
+ NEXT;
+ PUSH(XSLT_OP_ID, lit, NULL, novar);
++ lit = NULL;
+ } else if ((aid) && (xmlStrEqual(name, (const xmlChar *)"key"))) {
+ if (axis != 0) {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1402,8 +1411,11 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ NEXT;
+ SKIP_BLANKS;
+ lit = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ',') {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1414,25 +1426,36 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ NEXT;
+ SKIP_BLANKS;
+ lit2 = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
++ xmlFree(lit);
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltCompileIdKeyPattern : ) expected\n");
++ xmlFree(lit);
++ xmlFree(lit2);
+ ctxt->error = 1;
+ return;
+ }
+ NEXT;
+ /* URGENT TODO: support namespace in keys */
+ PUSH(XSLT_OP_KEY, lit, lit2, novar);
++ lit = NULL;
++ lit2 = NULL;
+ } else if (xmlStrEqual(name, (const xmlChar *)"processing-instruction")) {
+ NEXT;
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ lit = xsltScanLiteral(ctxt);
+- if (ctxt->error)
++ if (ctxt->error) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltCompileIdKeyPattern : Literal expected\n");
+ return;
++ }
+ SKIP_BLANKS;
+ if (CUR != ')') {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1443,6 +1466,7 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ }
+ NEXT;
+ PUSH(XSLT_OP_PI, lit, NULL, novar);
++ lit = NULL;
+ } else if (xmlStrEqual(name, (const xmlChar *)"text")) {
+ NEXT;
+ SKIP_BLANKS;
+@@ -1493,8 +1517,7 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ return;
+ }
+ error:
+- if (name != NULL)
+- xmlFree(name);
++ return;
+ }
+
+ /**
+@@ -1557,6 +1580,8 @@ parse_node_test:
+ SKIP_BLANKS;
+ if (CUR == '(') {
+ xsltCompileIdKeyPattern(ctxt, token, 0, novar, axis);
++ xmlFree(token);
++ token = NULL;
+ if (ctxt->error)
+ goto error;
+ } else if (CUR == ':') {
+@@ -1575,20 +1600,24 @@ parse_node_test:
+ "xsltCompileStepPattern : no namespace bound to prefix %s\n",
+ prefix);
+ xmlFree(prefix);
++ prefix=NULL;
+ ctxt->error = 1;
+ goto error;
+ } else {
+ URL = xmlStrdup(ns->href);
+ }
+ xmlFree(prefix);
++ prefix=NULL;
+ if (token == NULL) {
+ if (CUR == '*') {
+ NEXT;
+ if (axis == AXIS_ATTRIBUTE) {
+ PUSH(XSLT_OP_ATTR, NULL, URL, novar);
++ URL = NULL;
+ }
+ else {
+ PUSH(XSLT_OP_NS, URL, NULL, novar);
++ URL = NULL;
+ }
+ } else {
+ xsltTransformError(NULL, NULL, NULL,
+@@ -1599,9 +1628,13 @@ parse_node_test:
+ } else {
+ if (axis == AXIS_ATTRIBUTE) {
+ PUSH(XSLT_OP_ATTR, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ else {
+ PUSH(XSLT_OP_ELEM, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ }
+ } else {
+@@ -1623,6 +1656,7 @@ parse_node_test:
+ goto error;
+ }
+ xmlFree(token);
++ token = NULL;
+ SKIP_BLANKS;
+ token = xsltScanNCName(ctxt);
+ goto parse_node_test;
+@@ -1637,9 +1671,13 @@ parse_node_test:
+ URL = xmlStrdup(URI);
+ if (axis == AXIS_ATTRIBUTE) {
+ PUSH(XSLT_OP_ATTR, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ else {
+ PUSH(XSLT_OP_ELEM, token, URL, novar);
++ token = NULL;
++ URL = NULL;
+ }
+ }
+ parse_predicate:
+@@ -1679,6 +1717,7 @@ parse_predicate:
+ }
+ ret = xmlStrndup(q, CUR_PTR - q);
+ PUSH(XSLT_OP_PREDICATE, ret, NULL, novar);
++ ret = NULL;
+ /* push the predicate lower than local test */
+ SWAP();
+ NEXT;
+@@ -1787,6 +1826,8 @@ xsltCompileLocationPathPattern(xsltParserContextPtr ctxt, int novar) {
+ SKIP_BLANKS;
+ if ((CUR == '(') && !xmlXPathIsNodeType(name)) {
+ xsltCompileIdKeyPattern(ctxt, name, 1, novar, 0);
++ xmlFree(name);
++ name = NULL;
+ if ((CUR == '/') && (NXT(1) == '/')) {
+ PUSH(XSLT_OP_ANCESTOR, NULL, NULL, novar);
+ NEXT;
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index b47d809..0d79976 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
+@@ -669,7 +669,7 @@ xsltSortComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #else
+ xsltStylePreCompPtr comp;
+ #endif
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -777,7 +777,7 @@ xsltCopyComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+ #ifdef XSLT_REFACTORED
+ comp = (xsltStyleItemCopyPtr) xsltNewStylePreComp(style, XSLT_FUNC_COPY);
+@@ -821,7 +821,7 @@ xsltTextComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #endif
+ const xmlChar *prop;
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -874,7 +874,7 @@ xsltElementComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ * <!-- Content: template -->
+ * </xsl:element>
+ */
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -991,7 +991,7 @@ xsltAttributeComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ * <!-- Content: template -->
+ * </xsl:attribute>
+ */
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1111,7 +1111,7 @@ xsltCommentComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1141,7 +1141,7 @@ xsltProcessingInstructionComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1175,7 +1175,7 @@ xsltCopyOfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1222,7 +1222,7 @@ xsltValueOfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #endif
+ const xmlChar *prop;
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1347,7 +1347,7 @@ xsltWithParamComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1406,7 +1406,7 @@ xsltNumberComp(xsltStylesheetPtr style, xmlNodePtr cur) {
+ #endif
+ const xmlChar *prop;
+
+- if ((style == NULL) || (cur == NULL))
++ if ((style == NULL) || (cur == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1520,7 +1520,7 @@ xsltApplyImportsComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1550,7 +1550,7 @@ xsltCallTemplateComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1589,7 +1589,7 @@ xsltApplyTemplatesComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1641,7 +1641,7 @@ xsltChooseComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1672,7 +1672,7 @@ xsltIfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1718,7 +1718,7 @@ xsltWhenComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1764,7 +1764,7 @@ xsltForEachComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1812,7 +1812,7 @@ xsltVariableComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1875,7 +1875,7 @@ xsltParamComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((style == NULL) || (inst == NULL))
++ if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -1967,7 +1967,7 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr node) {
+ * the parsing mechanism for all elements in the XSLT namespace.
+ */
+ if (style == NULL) {
+- if (node != NULL)
++ if ((node != NULL) && (node->type == XML_ELEMENT_NODE))
+ node->psvi = NULL;
+ return;
+ }
+@@ -2182,7 +2182,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+ * namespace- and local-name of the node, but can evaluate this
+ * using cctxt->style->inode->category;
+ */
+- if (inst->psvi != NULL)
++ if ((inst == NULL) || (inst->type != XML_ELEMENT_NODE) ||
++ (inst->psvi != NULL))
+ return;
+
+ if (IS_XSLT_ELEM(inst)) {
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index c6250dc..81de93c 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -198,7 +198,8 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
+ xmlNodePtr oldInsert, insert = NULL;
+ xmlChar *ret;
+
+- if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL))
++ if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
++ (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ if (inst->children == NULL)
+@@ -380,7 +381,8 @@ xsltEvalAttrValueTemplate(xsltTransformContextPtr ctxt, xmlNodePtr inst,
+ xmlChar *ret;
+ xmlChar *expr;
+
+- if ((ctxt == NULL) || (inst == NULL) || (name == NULL))
++ if ((ctxt == NULL) || (inst == NULL) || (name == NULL) ||
++ (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ expr = xsltGetNsProp(inst, name, ns);
+@@ -424,7 +426,8 @@ xsltEvalStaticAttrValueTemplate(xsltStylesheetPtr style, xmlNodePtr inst,
+ const xmlChar *ret;
+ xmlChar *expr;
+
+- if ((style == NULL) || (inst == NULL) || (name == NULL))
++ if ((style == NULL) || (inst == NULL) || (name == NULL) ||
++ (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ expr = xsltGetNsProp(inst, name, ns);
+@@ -465,7 +468,8 @@ xsltAttrTemplateProcess(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ const xmlChar *value;
+ xmlAttrPtr ret;
+
+- if ((ctxt == NULL) || (attr == NULL) || (target == NULL))
++ if ((ctxt == NULL) || (attr == NULL) || (target == NULL) ||
++ (target->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ if (attr->type != XML_ATTRIBUTE_NODE)
+@@ -622,7 +626,8 @@ xsltAttrListTemplateProcess(xsltTransformContextPtr ctxt,
+ const xmlChar *value;
+ xmlChar *valueAVT;
+
+- if ((ctxt == NULL) || (target == NULL) || (attrs == NULL))
++ if ((ctxt == NULL) || (target == NULL) || (attrs == NULL) ||
++ (target->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ oldInsert = ctxt->insert;
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index a4ca41d..5461daa 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -726,7 +726,7 @@ xsltCopyTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ #endif
+
+ /*
+- * Play save and reset the merging mechanism for every new
++ * Play safe and reset the merging mechanism for every new
+ * target node.
+ */
+ if ((target == NULL) || (target->children == NULL)) {
+diff --git a/libxslt/variables.c b/libxslt/variables.c
+index 43a6156..df207c7 100644
+--- a/libxslt/variables.c
++++ b/libxslt/variables.c
+@@ -1926,7 +1926,7 @@ xsltParseStylesheetCallerParam(xsltTransformContextPtr ctxt, xmlNodePtr inst)
+ the instruction itself. */
+ xsltStackElemPtr param = NULL;
+
+- if ((ctxt == NULL) || (inst == NULL))
++ if ((ctxt == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ #ifdef XSLT_REFACTORED
+@@ -1985,7 +1985,7 @@ xsltParseGlobalVariable(xsltStylesheetPtr style, xmlNodePtr cur)
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -2047,7 +2047,7 @@ xsltParseGlobalParam(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ #ifdef XSLT_REFACTORED
+@@ -2110,7 +2110,7 @@ xsltParseStylesheetVariable(xsltTransformContextPtr ctxt, xmlNodePtr inst)
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((inst == NULL) || (ctxt == NULL))
++ if ((inst == NULL) || (ctxt == NULL) || (inst->type != XML_ELEMENT_NODE))
+ return;
+
+ comp = inst->psvi;
+@@ -2152,7 +2152,7 @@ xsltParseStylesheetParam(xsltTransformContextPtr ctxt, xmlNodePtr cur)
+ xsltStylePreCompPtr comp;
+ #endif
+
+- if ((cur == NULL) || (ctxt == NULL))
++ if ((cur == NULL) || (ctxt == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ comp = cur->psvi;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 55f505b..fa5a3f9 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -1153,9 +1153,9 @@ xsltParseStylesheetOutput(xsltStylesheetPtr style, xmlNodePtr cur)
+ xmlChar *element,
+ *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+-
++
+ prop = xmlGetNsProp(cur, (const xmlChar *) "version", NULL);
+ if (prop != NULL) {
+ if (style->version != NULL)
+@@ -1368,12 +1368,12 @@ xsltParseStylesheetDecimalFormat(xsltStylesheetPtr style, xmlNodePtr cur)
+ xmlChar *prop;
+ xsltDecimalFormatPtr format;
+ xsltDecimalFormatPtr iter;
+-
+- if ((cur == NULL) || (style == NULL))
++
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ format = style->decimalFormat;
+-
++
+ prop = xmlGetNsProp(cur, BAD_CAST("name"), NULL);
+ if (prop != NULL) {
+ format = xsltDecimalFormatGetByName(style, prop);
+@@ -1475,7 +1475,7 @@ xsltParseStylesheetPreserveSpace(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xmlChar *elements;
+ xmlChar *element, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ elements = xmlGetNsProp(cur, (const xmlChar *)"elements", NULL);
+@@ -1549,7 +1549,7 @@ xsltParseStylesheetExtPrefix(xsltStylesheetPtr style, xmlNodePtr cur,
+ xmlChar *prefixes;
+ xmlChar *prefix, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ if (isXsltElem) {
+@@ -1614,7 +1614,7 @@ xsltParseStylesheetStripSpace(xsltStylesheetPtr style, xmlNodePtr cur) {
+ xmlChar *elements;
+ xmlChar *element, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return;
+
+ elements = xmlGetNsProp(cur, (const xmlChar *)"elements", NULL);
+@@ -1687,7 +1687,7 @@ xsltParseStylesheetExcludePrefix(xsltStylesheetPtr style, xmlNodePtr cur,
+ xmlChar *prefixes;
+ xmlChar *prefix, *end;
+
+- if ((cur == NULL) || (style == NULL))
++ if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ return(0);
+
+ if (isXsltElem)
+@@ -4278,7 +4278,7 @@ static int
+ xsltParseUnknownXSLTElem(xsltCompilerCtxtPtr cctxt,
+ xmlNodePtr node)
+ {
+- if ((cctxt == NULL) || (node == NULL))
++ if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ return(-1);
+
+ /*
+@@ -4375,7 +4375,7 @@ xsltParseSequenceConstructor(xsltCompilerCtxtPtr cctxt, xmlNodePtr cur)
+ if (cctxt->inode->category == XSLT_ELEMENT_CATEGORY_EXTENSION) {
+ cctxt->inode->extContentHandled = 1;
+ }
+- if (cur == NULL)
++ if ((cur == NULL) || (cur->type == XML_NAMESPACE_DECL))
+ return;
+ /*
+ * This is the content reffered to as a "template".
+@@ -4780,7 +4780,8 @@ xsltParseSequenceConstructor(xsltCompilerCtxtPtr cctxt, xmlNodePtr cur)
+ */
+ void
+ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+- if ((style == NULL) || (templ == NULL))
++ if ((style == NULL) || (templ == NULL) ||
++ (templ->type == XML_NAMESPACE_DECL))
+ return;
+
+ /*
+@@ -4829,6 +4830,10 @@ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+ void
+ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+ xmlNodePtr cur, delete;
++
++ if ((style == NULL) || (templ == NULL) ||
++ (templ->type == XML_NAMESPACE_DECL)) return;
++
+ /*
+ * This content comes from the stylesheet
+ * For stylesheets, the set of whitespace-preserving
+@@ -5048,7 +5053,7 @@ xsltParseStylesheetKey(xsltStylesheetPtr style, xmlNodePtr key) {
+ xmlChar *name = NULL;
+ xmlChar *nameURI = NULL;
+
+- if ((style == NULL) || (key == NULL))
++ if ((style == NULL) || (key == NULL) || (key->type != XML_ELEMENT_NODE))
+ return;
+
+ /*
+@@ -5138,7 +5143,8 @@ xsltParseXSLTTemplate(xsltCompilerCtxtPtr cctxt, xmlNodePtr templNode) {
+ xmlChar *prop;
+ double priority;
+
+- if ((cctxt == NULL) || (templNode == NULL))
++ if ((cctxt == NULL) || (templNode == NULL) ||
++ (templNode->type != XML_ELEMENT_NODE))
+ return;
+
+ /*
+@@ -5299,7 +5305,8 @@ xsltParseStylesheetTemplate(xsltStylesheetPtr style, xmlNodePtr template) {
+ xmlChar *modeURI = NULL;
+ double priority;
+
+- if (template == NULL)
++ if ((style == NULL) || (template == NULL) ||
++ (template->type != XML_ELEMENT_NODE))
+ return;
+
+ /*
+@@ -5431,7 +5438,7 @@ static xsltStyleItemIncludePtr
+ xsltCompileXSLTIncludeElem(xsltCompilerCtxtPtr cctxt, xmlNodePtr node) {
+ xsltStyleItemIncludePtr item;
+
+- if ((cctxt == NULL) || (node == NULL))
++ if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ return(NULL);
+
+ node->psvi = NULL;
+@@ -5951,7 +5958,7 @@ xsltParseXSLTStylesheetElem(xsltCompilerCtxtPtr cctxt, xmlNodePtr node)
+ {
+ xmlNodePtr cur, start;
+
+- if ((cctxt == NULL) || (node == NULL))
++ if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ return(-1);
+
+ if (node->children == NULL)
+@@ -6039,7 +6046,7 @@ xsltParseStylesheetTop(xsltStylesheetPtr style, xmlNodePtr top) {
+ int templates = 0;
+ #endif
+
+- if (top == NULL)
++ if ((top == NULL) || (top->type != XML_ELEMENT_NODE))
+ return;
+
+ prop = xmlGetNsProp(top, (const xmlChar *)"version", NULL);
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index d6b1e98..531d595 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -90,10 +90,15 @@ xsltGetCNsProp(xsltStylesheetPtr style, xmlNodePtr node,
+ if ((node == NULL) || (style == NULL) || (style->dict == NULL))
+ return(NULL);
+
+- prop = node->properties;
+- if (nameSpace == NULL) {
++ if (nameSpace == NULL)
+ return xmlGetProp(node, name);
+- }
++
++ if (node->type == XML_NAMESPACE_DECL)
++ return(NULL);
++ if (node->type == XML_ELEMENT_NODE)
++ prop = node->properties;
++ else
++ prop = NULL;
+ while (prop != NULL) {
+ /*
+ * One need to have
+@@ -130,7 +135,7 @@ xsltGetCNsProp(xsltStylesheetPtr style, xmlNodePtr node,
+ attrDecl = xmlGetDtdAttrDesc(doc->intSubset, node->name, name);
+ if ((attrDecl == NULL) && (doc->extSubset != NULL))
+ attrDecl = xmlGetDtdAttrDesc(doc->extSubset, node->name, name);
+-
++
+ if ((attrDecl != NULL) && (attrDecl->prefix != NULL)) {
+ /*
+ * The DTD declaration only allows a prefix search
+@@ -172,7 +177,15 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ if (node == NULL)
+ return(NULL);
+
+- prop = node->properties;
++ if (nameSpace == NULL)
++ return xmlGetProp(node, name);
++
++ if (node->type == XML_NAMESPACE_DECL)
++ return(NULL);
++ if (node->type == XML_ELEMENT_NODE)
++ prop = node->properties;
++ else
++ prop = NULL;
+ /*
+ * TODO: Substitute xmlGetProp() for xmlGetNsProp(), since the former
+ * is not namespace-aware and will return an attribute with equal
+@@ -182,8 +195,6 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ * So this would return "myName" even if an attribute @name
+ * in the XSLT was requested.
+ */
+- if (nameSpace == NULL)
+- return(xmlGetProp(node, name));
+ while (prop != NULL) {
+ /*
+ * One need to have
+@@ -216,7 +227,7 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ attrDecl = xmlGetDtdAttrDesc(doc->intSubset, node->name, name);
+ if ((attrDecl == NULL) && (doc->extSubset != NULL))
+ attrDecl = xmlGetDtdAttrDesc(doc->extSubset, node->name, name);
+-
++
+ if ((attrDecl != NULL) && (attrDecl->prefix != NULL)) {
+ /*
+ * The DTD declaration only allows a prefix search
+--
diff --git a/debian/patches/0007-Fix-default-template-processing-on-namespace-nodes.patch b/debian/patches/0007-Fix-default-template-processing-on-namespace-nodes.patch
new file mode 100644
index 0000000..912b372
--- /dev/null
+++ b/debian/patches/0007-Fix-default-template-processing-on-namespace-nodes.patch
@@ -0,0 +1,34 @@
+From: Daniel Veillard <veillard at redhat.com>
+Date: Wed, 8 Aug 2012 15:31:05 +0800
+Subject: Fix default template processing on namespace nodes
+
+---
+ libxslt/transform.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 5461daa..38fbad6 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -4832,7 +4832,10 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ list = xmlXPathNodeSetCreate(NULL);
+ if (list == NULL)
+ goto error;
+- cur = node->children;
++ if (node->type != XML_NAMESPACE_DECL)
++ cur = node->children;
++ else
++ cur = NULL;
+ while (cur != NULL) {
+ switch (cur->type) {
+ case XML_TEXT_NODE:
+@@ -4881,6 +4884,8 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ if (cur->prev != NULL)
+ cur->prev->next = cur->next;
+ break;
++ case XML_NAMESPACE_DECL:
++ break;
+ default:
+ #ifdef WITH_XSLT_DEBUG_PROCESS
+ XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+--
diff --git a/debian/patches/0008-Fix-a-dictionary-string-usage.patch b/debian/patches/0008-Fix-a-dictionary-string-usage.patch
new file mode 100644
index 0000000..8c9806d
--- /dev/null
+++ b/debian/patches/0008-Fix-a-dictionary-string-usage.patch
@@ -0,0 +1,104 @@
+From: Chris Evans <cevans at chromium.org>
+Date: Mon, 3 Sep 2012 15:50:22 +0800
+Subject: Fix a dictionary string usage
+
+Raised in chromium, but also affecting xsltproc
+Also updated AUTHORS to list Chris and other contributors
+---
+ AUTHORS | 45 ++++++++++++++++++++++++++++++++++++++++++++-
+ libxslt/templates.c | 7 +++++--
+ 2 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index 094ebbc..3a70a17 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -5,7 +5,7 @@ Daniel Veillard:
+ Used to work at W3C, now Red Hat
+ co-chair of W3C XML Linking WG
+ invited expert on the W3C XML Core WG
+- Author of libxml upon which this library is based.
++ Author of libxml2 upon which this library is based.
+
+ Bjorn Reese:
+ breese at users.sourceforge.net
+@@ -18,3 +18,46 @@ William Brack <wbrack at mmm.com.hk>
+ Thomas Broyer <tbroyer at ltgt.net>
+
+ Igor Zlatkovic <igor at zlatkovic.com> for the Windows port
++
++Patches gently provided by a multitude of people :
++
++Abhishek Arya <inferno at chromium.org>
++Ben Walton <bwalton at artsci.utoronto.ca>
++Bjorn Reese <breese at src.gnome.org>
++C. M. Sperberg-McQueen <cmsmcq at blackmesatech.com>
++Colin Walters <walters at verbum.org>
++Daniel Mustieles <daniel.mustieles at gmail.com>
++Daniel Richard G <oss at teragram.com>
++Darin Adler <darin at src.gnome.org>
++ÉRDI Gergo <cactus at src.gnome.org>
++Fatih Demir <kabalak at src.gnome.org>
++Federico Mena Quintero <federico at ximian.com>
++Frederic Crozat <fcrozat at mandriva.com>
++Hao Hu <ihaohu at gmail.com>
++Havoc Pennington <hp at pobox.com>
++IlyaS <astro.courier at gmail.com>
++jacob berkman <jacob at ximian.com>
++Jason Viers <bean at beanalby.net>
++Jérôme Carretero <cJ-xslt at zougloub.eu>
++Joachim Breitner <nomeata at debian.org>
++Johan Dahlin <zilch at src.gnome.org>
++John Fleck <jfleck at inkstain.net>
++Jose Maria Celorio <chema at src.gnome.org>
++Julio M. Merino Vidal <jmmv at NetBSD.org>
++Kasimier T. Buchcik <kbuchcik at src.gnome.org>
++Kjartan Maraas <kmaraas at src.gnome.org>
++Laurence Rowe <l at lrowe.co.uk>
++Malcolm Purvis <malcolm at purvis.id.au>
++Martin <gzlist at googlemail.com>
++MDT 2002 John Fleck <jfleck at inkstain.net>
++Michael Bonfils <murlock42 at gmail.com>
++money_seshu Dronamraju <mcseshu at gmail.com>
++Nick Wellnhofer <wellnhofer at aevum.de>
++Nix <nix at esperi.org.uk>
++Pedro F. Giffuni <giffunip at tutopia.com>
++Peter Williams <peterw at ximian.com>
++Rob Richards <rrichard at src.gnome.org>
++Roumen Petrov <bugtrack at roumenpetrov.info>
++Stefan Kost <ensonic at users.sf.net>
++Tomasz Kłoczko <kloczek at src.gnome.org>
++Chris Evans <cevans at chromium.org>
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index 81de93c..e1289fc 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -18,6 +18,7 @@
+ #include <libxml/globals.h>
+ #include <libxml/xmlerror.h>
+ #include <libxml/tree.h>
++#include <libxml/dict.h>
+ #include <libxml/xpathInternals.h>
+ #include <libxml/parserInternals.h>
+ #include "xslt.h"
+@@ -576,7 +577,8 @@ xsltAttrTemplateProcess(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ }
+ } else if ((ctxt->internalized) && (target != NULL) &&
+ (target->doc != NULL) &&
+- (target->doc->dict == ctxt->dict)) {
++ (target->doc->dict == ctxt->dict) &&
++ xmlDictOwns(ctxt->dict, value)) {
+ text->content = (xmlChar *) value;
+ } else {
+ text->content = xmlStrdup(value);
+@@ -762,7 +764,8 @@ xsltAttrListTemplateProcess(xsltTransformContextPtr ctxt,
+ }
+ } else if ((ctxt->internalized) &&
+ (target->doc != NULL) &&
+- (target->doc->dict == ctxt->dict))
++ (target->doc->dict == ctxt->dict) &&
++ xmlDictOwns(ctxt->dict, value))
+ {
+ text->content = (xmlChar *) value;
+ } else {
+--
diff --git a/debian/patches/series b/debian/patches/series
index a53b140..bfd2026 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,6 @@
0003-code-fix-and-docs-modification.patch
0004-fix-typo.patch
0005-cve-2012-2825.patch
+0006-cve-2012-2870.patch
+0007-Fix-default-template-processing-on-namespace-nodes.patch
+0008-Fix-a-dictionary-string-usage.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/libxslt.git
More information about the Reproducible-commits
mailing list