46 lines
1.4 KiB
Diff
46 lines
1.4 KiB
Diff
From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Thu, 5 Dec 2024 12:43:19 +0100
|
|
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
|
|
|
|
Definitions of excluded namespaces could be deleted in
|
|
xsltParseTemplateContent. Store excluded namespace URIs in the
|
|
stylesheet's dictionary instead of referencing the namespace definition.
|
|
|
|
Thanks to Ivan Fratric for the report!
|
|
|
|
Fixes #127.
|
|
---
|
|
libxslt/xslt.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
|
index 22fdb758..6532f976 100644
|
|
--- a/libxslt/xslt.c
|
|
+++ b/libxslt/xslt.c
|
|
@@ -147,10 +147,20 @@ xsltParseContentError(xsltStylesheetPtr style,
|
|
* in case of error
|
|
*/
|
|
static int
|
|
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
|
|
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
|
|
{
|
|
+ xmlChar *value;
|
|
int i;
|
|
|
|
+ /*
|
|
+ * orig can come from a namespace definition on a node which
|
|
+ * could be deleted later, for example in xsltParseTemplateContent.
|
|
+ * Store the string in stylesheet's dict to avoid use after free.
|
|
+ */
|
|
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
|
|
+ if (value == NULL)
|
|
+ return(-1);
|
|
+
|
|
/* do not push duplicates */
|
|
for (i = 0;i < style->exclPrefixNr;i++) {
|
|
if (xmlStrEqual(style->exclPrefixTab[i], value))
|
|
--
|
|
GitLab
|
|
|