48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
Fix CVE-2017-15412:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
|
|
https://bugs.chromium.org/p/chromium/issues/detail?id=727039
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1523128
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=783160
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
|
|
|
|
From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Thu, 1 Jun 2017 23:12:19 +0200
|
|
Subject: [PATCH] Fix XPath stack frame logic
|
|
|
|
Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
|
|
xmlXPathCompOpEvalPositionalPredicate to make sure that the context
|
|
object on the stack is actually protected. Otherwise, memory corruption
|
|
can occur when calling sloppily coded XPath extension functions.
|
|
|
|
Fixes bug 783160.
|
|
---
|
|
xpath.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/xpath.c b/xpath.c
|
|
index 94815075..b816bd36 100644
|
|
--- a/xpath.c
|
|
+++ b/xpath.c
|
|
@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
|
|
}
|
|
}
|
|
|
|
- frame = xmlXPathSetFrame(ctxt);
|
|
valuePush(ctxt, contextObj);
|
|
+ frame = xmlXPathSetFrame(ctxt);
|
|
res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
|
|
- tmp = valuePop(ctxt);
|
|
xmlXPathPopFrame(ctxt, frame);
|
|
+ tmp = valuePop(ctxt);
|
|
|
|
if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
|
|
while (tmp != contextObj) {
|
|
--
|
|
2.15.1
|
|
|