From 3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 2 Feb 2021 04:28:15 +0100 Subject: [PATCH] Fix double-free with stylesheets containing entity nodes Fix broken logic to make sure that entity nodes are deleted from the stylesheet. Note that stylesheets parsed with XML_PARSE_NOENT, which is included in XSLT_PARSE_OPTIONS, aren't affected. Found by OSS-Fuzz. --- libxslt/xslt.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 7a1ce01..69116f2 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -3656,12 +3656,8 @@ xsltPreprocessStylesheet(xsltStylesheetPtr style, xmlNodePtr cur) (!xsltCheckExtURI(style, cur->ns->href))) { goto skip_children; } else if (cur->children != NULL) { - if ((cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_ENTITY_REF_NODE) && - (cur->children->type != XML_ENTITY_NODE)) { - cur = cur->children; - continue; - } + cur = cur->children; + continue; } skip_children: -- 1.8.3.1