[xmlsec] Fix valgrind's invalid read with chained XPath transforms (based on patch from Frank Gross)

From: Aleksey Sanin <aleksey src gnome org>
To: svn-commits-list gnome org
Cc:
Subject: [xmlsec] Fix valgrind's invalid read with chained XPath transforms (based on patch from Frank Gross)
Date: Wed, 13 Jan 2010 21:05:10 +0000 (UTC)

commit 8ee4fbabcd651f01c6ec1b6aef70853f27db65a8
Author: Aleksey Sanin <aleksey aleksey com>
Date:   Wed Jan 13 13:03:25 2010 -0800

    Fix valgrind's invalid read with chained XPath transforms (based on patch from Frank Gross)

 ChangeLog     |    4 ++++
 src/nodeset.c |   25 ++++++++++++++++++-------
 2 files changed, 22 insertions(+), 7 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index b63503c..2baaef2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-01-13  Aleksey Sanin  <aleksey aleksey com>
+	* Fix valgrind's invalid read with chained XPath transforms (based
+	on patch from Frank Gross).
+
 2009-09-05  Aleksey Sanin  <aleksey aleksey com>
 	* preparation for 1.2.14 release
 
diff --git a/src/nodeset.c b/src/nodeset.c
index 74c2d5b..a5c0a36 100644
--- a/src/nodeset.c
+++ b/src/nodeset.c
@@ -78,29 +78,37 @@ xmlSecNodeSetCreate(xmlDocPtr doc, xmlNodeSetPtr nodes, xmlSecNodeSetType type)
 void
 xmlSecNodeSetDestroy(xmlSecNodeSetPtr nset) {
     xmlSecNodeSetPtr tmp;
+    xmlDocPtr destroyDoc = NULL;
 
     xmlSecAssert(nset != NULL);
-    	
+
     while((tmp = nset) != NULL) {
 	if((nset->next != NULL) && (nset->next != nset)) {
 	    nset->next->prev = nset->prev;
-	    nset->prev->next = nset->next;	    
+	    nset->prev->next = nset->next;
 	    nset = nset->next;
 	} else {
 	    nset = NULL;
 	}
 	
 	if(tmp->nodes != NULL) {
-    	    xmlXPathFreeNodeSet(tmp->nodes);
+	    xmlXPathFreeNodeSet(tmp->nodes);
 	}
 	if(tmp->children != NULL) {
 	    xmlSecNodeSetDestroy(tmp->children);
 	}
 	if((tmp->doc != NULL) && (tmp->destroyDoc != 0)) {
-	    xmlFreeDoc(tmp->doc);
+	    /* all nodesets should belong to the same doc */
+	    xmlSecAssert((destroyDoc == NULL) || (tmp->doc == destroyDoc));
+	    destroyDoc = tmp->doc; /* can't destroy here because other node sets can refer to it */
 	}
 	memset(tmp, 0,  sizeof(xmlSecNodeSet));
-        xmlFree(tmp);
+	xmlFree(tmp);
+    }
+
+    /* finally, destroy the doc if needed */
+    if(destroyDoc != NULL) {
+	xmlFreeDoc(destroyDoc);
     }
 }
 
@@ -272,11 +280,14 @@ xmlSecNodeSetAdd(xmlSecNodeSetPtr nset, xmlSecNodeSetPtr newNSet,
     if(nset == NULL) {
 	return(newNSet);
     }
-        
+
+    /* all nodesets should belong to the same doc */
+    xmlSecAssert2(nset->doc == newNSet->doc, NULL);
+
     newNSet->next = nset;
     newNSet->prev = nset->prev;
     nset->prev->next = newNSet;
-    nset->prev 	     = newNSet;
+    nset->prev       = newNSet;
     return(nset);
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]