packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libxml2/Revert-Fix-quadratic-runtime-in-xi-fallback-processi.patch
panxiaohe 311df5fe76 fix fuzz issues
2021-10-21 17:51:09 +08:00

68 lines
2.0 KiB
Diff
Raw Blame History

From 19cae17f5a2acfbd5554d145bb87cd6bf2de244f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 19 Aug 2020 13:07:28 +0200
Subject: [PATCH] Revert "Fix quadratic runtime in xi:fallback processing"
This reverts commit 27119ec33c9f6b9830efa1e0da0acfa353dfa55a.
Not copying fallback children didn't fix up namespaces and could lead
to use-after-free errors.
Found by OSS-Fuzz.
---
xinclude.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/xinclude.c b/xinclude.c
index 3c810ca..9024535 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -1984,7 +1984,8 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) {
ret = -1;
xmlXIncludeFreeContext(newctxt);
- ctxt->incTab[nr]->inc = fallback->children;
+ ctxt->incTab[nr]->inc = xmlDocCopyNodeList(ctxt->doc,
+ fallback->children);
} else {
ctxt->incTab[nr]->inc = NULL;
}
@@ -2240,6 +2241,12 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) {
if (ctxt->incTab[nr]->fallback)
xmlUnsetProp(cur, BAD_CAST "href");
cur->type = XML_XINCLUDE_START;
+ /* Remove fallback children */
+ for (child = cur->children; child != NULL; child = next) {
+ next = child->next;
+ xmlUnlinkNode(child);
+ xmlFreeNode(child);
+ }
end = xmlNewDocNode(cur->doc, cur->ns, cur->name, NULL);
if (end == NULL) {
xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref,
@@ -2255,17 +2262,11 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) {
* Add the list of nodes
*/
while (list != NULL) {
- next = list->next;
- xmlAddPrevSibling(end, list);
- list = next;
- }
+ cur = list;
+ list = list->next;
- /* Remove fallback node */
- for (child = cur->children; child != NULL; child = next) {
- next = child->next;
- xmlUnlinkNode(child);
- xmlFreeNode(child);
- }
+ xmlAddPrevSibling(end, cur);
+ }
}
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink