37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
|
From 3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||
|
|
Date: Tue, 2 Feb 2021 04:28:15 +0100
|
||
|
|
Subject: [PATCH] Fix double-free with stylesheets containing entity nodes
|
||
|
|
|
||
|
|
Fix broken logic to make sure that entity nodes are deleted from the
|
||
|
|
stylesheet. Note that stylesheets parsed with XML_PARSE_NOENT, which
|
||
|
|
is included in XSLT_PARSE_OPTIONS, aren't affected.
|
||
|
|
|
||
|
|
Found by OSS-Fuzz.
|
||
|
|
---
|
||
|
|
libxslt/xslt.c | 8 ++------
|
||
|
|
1 file changed, 2 insertions(+), 6 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||
|
|
index 7a1ce01..69116f2 100644
|
||
|
|
--- a/libxslt/xslt.c
|
||
|
|
+++ b/libxslt/xslt.c
|
||
|
|
@@ -3656,12 +3656,8 @@ xsltPreprocessStylesheet(xsltStylesheetPtr style, xmlNodePtr cur)
|
||
|
|
(!xsltCheckExtURI(style, cur->ns->href))) {
|
||
|
|
goto skip_children;
|
||
|
|
} else if (cur->children != NULL) {
|
||
|
|
- if ((cur->children->type != XML_ENTITY_DECL) &&
|
||
|
|
- (cur->children->type != XML_ENTITY_REF_NODE) &&
|
||
|
|
- (cur->children->type != XML_ENTITY_NODE)) {
|
||
|
|
- cur = cur->children;
|
||
|
|
- continue;
|
||
|
|
- }
|
||
|
|
+ cur = cur->children;
|
||
|
|
+ continue;
|
||
|
|
}
|
||
|
|
|
||
|
|
skip_children:
|
||
|
|
--
|
||
|
|
1.8.3.1
|
||
|
|
|