Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix use-after-free in xsltApplyTemplates
xsltApplyTemplates without a select expression could delete nodes in the source document. 1. Text nodes with strippable whitespace Whitespace from input documents is already stripped, so there's no need to strip it again. Under certain circumstances, xsltApplyTemplates could be fooled into deleting text nodes that are still referenced, resulting in a use-after-free. 2. The DTD The DTD was only unlinked, but there's no good reason to do this just now. Maybe it was meant as a micro-optimization. 3. Unknown nodes Useless and dangerous as well, especially with XInclude nodes. See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 Simply stop trying to uselessly delete nodes when applying a template. This part of the code is probably a leftover from a time where xsltApplyStripSpaces wasn't implemented yet. Also note that xsltApplyTemplates with a select expression never tried to delete nodes. Also stop xsltDefaultProcessOneNode from deleting nodes for the same reasons. This fixes CVE-2021-30560.
- Loading branch information
Showing
1 changed file
with
7 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50f9c9c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @nwellnhof, does this also fix https://nvd.nist.gov/vuln/detail/CVE-2019-18197?
50f9c9c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it doesn't.