Commit | Line | Data |
---|---|---|
9aa43069 VM |
1 | From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 |
2 | From: Daniel Veillard <veillard@redhat.com> | |
3 | Date: Thu, 29 Oct 2015 19:33:23 +0800 | |
4 | Subject: Fix for type confusion in preprocessing attributes | |
5 | ||
6 | CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 | |
7 | We need to check that the parent node is an element before dereferencing | |
8 | its namespace | |
9 | --- | |
10 | libxslt/preproc.c | 3 ++- | |
11 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
12 | ||
13 | diff --git a/libxslt/preproc.c b/libxslt/preproc.c | |
14 | index 0eb80a0..7f69325 100644 | |
15 | --- a/libxslt/preproc.c | |
16 | +++ b/libxslt/preproc.c | |
17 | @@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) { | |
18 | } else if (IS_XSLT_NAME(inst, "attribute")) { | |
19 | xmlNodePtr parent = inst->parent; | |
20 | ||
21 | - if ((parent == NULL) || (parent->ns == NULL) || | |
22 | + if ((parent == NULL) || | |
23 | + (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || | |
24 | ((parent->ns != inst->ns) && | |
25 | (!xmlStrEqual(parent->ns->href, inst->ns->href))) || | |
26 | (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { | |
27 | -- | |
28 | cgit v0.11.2 | |
29 |