lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-31 21:50:33 +03:00
Code Activity

Fix NULL pointer deref in XPointer range-to

Browse Source 
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.
This commit is contained in:
Nick Wellnhofer
2016-06-25 12:35:50 +02:00
parent 1fc55ca72b
commit d8083bf779
3 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
result/XPath/xptr/viderror Normal file
View File

@@ -0,0 +1,4 @@
========================
Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
Object is empty (NULL)

1
test/XPath/xptr/viderror Normal file
View File

@@ -0,0 +1 @@
xpointer(non-existing-fn()/range-to(id('chapter2')))

7
xpath.c
View File

@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
xmlNodeSetPtr oldset; xmlNodeSetPtr oldset;
int i, j; int i, j;
if (op->ch1 != -1) if (op->ch1 != -1) {
total += total +=
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
CHECK_ERROR0;
}
if (ctxt->value == NULL) {
XP_ERROR0(XPATH_INVALID_OPERAND);
}
if (op->ch2 == -1) if (op->ch2 == -1)
return (total); return (total);