Fix NULL pointer deref in XPointer range-to

- Check for errors after evaluating first operand. - Add sanity check for empty stack. Found with afl-fuzz.
2025-10-28 23:14:57 +03:00 · 2016-06-25 12:35:50 +02:00
parent 1fc55ca72b
commit d8083bf779
3 changed files with 11 additions and 1 deletions
--- a/result/XPath/xptr/viderror
+++ b/result/XPath/xptr/viderror
@@ -0,0 +1,4 @@
+
+========================
+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
+Object is empty (NULL)
--- a/test/XPath/xptr/viderror
+++ b/test/XPath/xptr/viderror
@@ -0,0 +1 @@
+xpointer(non-existing-fn()/range-to(id('chapter2')))
--- a/xpath.c
+++ b/xpath.c
@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
                xmlNodeSetPtr oldset;
                int i, j;

-                if (op->ch1 != -1)
+                if (op->ch1 != -1) {
                    total +=
                        xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
+                    CHECK_ERROR0;
+                }
+                if (ctxt->value == NULL) {
+                    XP_ERROR0(XPATH_INVALID_OPERAND);
+                }
                if (op->ch2 == -1)
                    return (total);
				`@@ -0,0 +1 @@`
				`xpointer(non-existing-fn()/range-to(id('chapter2')))`