mirror of
https://github.com/openwrt/packages.git
synced 2026-01-09 19:31:21 +00:00
a5bbf27e35
Debian uses libxml2 2.9.4 in Stretch. This adds their security related fixes from 2.9.4+dfsg1-2.2+deb9u2 to LEDE's 17.01 release. Fixed CVEs: CVE-2016-4658 CVE-2016-5131 CVE-2017-0663 CVE-2017-15412 CVE-2017-7375 CVE-2017-7376 CVE-2017-9047 CVE-2017-9048 CVE-2017-9049 CVE-2017-9050 Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
139 lines
4.0 KiB
Diff
139 lines
4.0 KiB
Diff
From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Tue, 28 Jun 2016 14:22:23 +0200
|
|
Subject: [PATCH] Fix XPointer paths beginning with range-to
|
|
|
|
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
|
|
isn't really a function but a special kind of location step. Remove
|
|
this function and always handle range-to in the XPath code.
|
|
|
|
The old xmlXPtrRangeToFunction could also be abused to trigger a
|
|
use-after-free error with the potential for remote code execution.
|
|
|
|
Found with afl-fuzz.
|
|
|
|
Fixes CVE-2016-5131.
|
|
---
|
|
result/XPath/xptr/vidbase | 13 ++++++++
|
|
test/XPath/xptr/vidbase | 1 +
|
|
xpath.c | 7 ++++-
|
|
xpointer.c | 76 ++++-------------------------------------------
|
|
4 files changed, 26 insertions(+), 71 deletions(-)
|
|
|
|
--- a/xpath.c
|
|
+++ b/xpath.c
|
|
@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserConte
|
|
lc = 1;
|
|
break;
|
|
} else if ((NXT(len) == '(')) {
|
|
- /* Note Type or Function */
|
|
+ /* Node Type or Function */
|
|
if (xmlXPathIsNodeType(name)) {
|
|
#ifdef DEBUG_STEP
|
|
xmlGenericError(xmlGenericErrorContext,
|
|
"PathExpr: Type search\n");
|
|
#endif
|
|
lc = 1;
|
|
+#ifdef LIBXML_XPTR_ENABLED
|
|
+ } else if (ctxt->xptr &&
|
|
+ xmlStrEqual(name, BAD_CAST "range-to")) {
|
|
+ lc = 1;
|
|
+#endif
|
|
} else {
|
|
#ifdef DEBUG_STEP
|
|
xmlGenericError(xmlGenericErrorContext,
|
|
--- a/xpointer.c
|
|
+++ b/xpointer.c
|
|
@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNode
|
|
ret->here = here;
|
|
ret->origin = origin;
|
|
|
|
- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
|
|
- xmlXPtrRangeToFunction);
|
|
xmlXPathRegisterFunc(ret, (xmlChar *)"range",
|
|
xmlXPtrRangeFunction);
|
|
xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
|
|
@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParse
|
|
* @nargs: the number of args
|
|
*
|
|
* Implement the range-to() XPointer function
|
|
+ *
|
|
+ * Obsolete. range-to is not a real function but a special type of location
|
|
+ * step which is handled in xpath.c.
|
|
*/
|
|
void
|
|
-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
|
|
- xmlXPathObjectPtr range;
|
|
- const xmlChar *cur;
|
|
- xmlXPathObjectPtr res, obj;
|
|
- xmlXPathObjectPtr tmp;
|
|
- xmlLocationSetPtr newset = NULL;
|
|
- xmlNodeSetPtr oldset;
|
|
- int i;
|
|
-
|
|
- if (ctxt == NULL) return;
|
|
- CHECK_ARITY(1);
|
|
- /*
|
|
- * Save the expression pointer since we will have to evaluate
|
|
- * it multiple times. Initialize the new set.
|
|
- */
|
|
- CHECK_TYPE(XPATH_NODESET);
|
|
- obj = valuePop(ctxt);
|
|
- oldset = obj->nodesetval;
|
|
- ctxt->context->node = NULL;
|
|
-
|
|
- cur = ctxt->cur;
|
|
- newset = xmlXPtrLocationSetCreate(NULL);
|
|
-
|
|
- for (i = 0; i < oldset->nodeNr; i++) {
|
|
- ctxt->cur = cur;
|
|
-
|
|
- /*
|
|
- * Run the evaluation with a node list made of a single item
|
|
- * in the nodeset.
|
|
- */
|
|
- ctxt->context->node = oldset->nodeTab[i];
|
|
- tmp = xmlXPathNewNodeSet(ctxt->context->node);
|
|
- valuePush(ctxt, tmp);
|
|
-
|
|
- xmlXPathEvalExpr(ctxt);
|
|
- CHECK_ERROR;
|
|
-
|
|
- /*
|
|
- * The result of the evaluation need to be tested to
|
|
- * decided whether the filter succeeded or not
|
|
- */
|
|
- res = valuePop(ctxt);
|
|
- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
|
|
- if (range != NULL) {
|
|
- xmlXPtrLocationSetAdd(newset, range);
|
|
- }
|
|
-
|
|
- /*
|
|
- * Cleanup
|
|
- */
|
|
- if (res != NULL)
|
|
- xmlXPathFreeObject(res);
|
|
- if (ctxt->value == tmp) {
|
|
- res = valuePop(ctxt);
|
|
- xmlXPathFreeObject(res);
|
|
- }
|
|
-
|
|
- ctxt->context->node = NULL;
|
|
- }
|
|
-
|
|
- /*
|
|
- * The result is used as the new evaluation set.
|
|
- */
|
|
- xmlXPathFreeObject(obj);
|
|
- ctxt->context->node = NULL;
|
|
- ctxt->context->contextSize = -1;
|
|
- ctxt->context->proximityPosition = -1;
|
|
- valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
|
|
+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
|
|
+ int nargs ATTRIBUTE_UNUSED) {
|
|
+ XP_ERROR(XPATH_EXPR_ERROR);
|
|
}
|
|
|
|
/**
|