[libxml2] Fix the XPath arity check to also check the XPath stack limits

From: Daniel Veillard <veillard src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix the XPath arity check to also check the XPath stack limits
Date: Mon, 27 Aug 2012 08:23:29 +0000 (UTC)

commit 8880170e2187d2041c81418711250841d264af02
Author: Daniel Veillard <veillard redhat com>
Date:   Mon Aug 27 16:20:05 2012 +0800

    Fix the XPath arity check to also check the XPath stack limits
    
    Example xmlXPathNormalizeFunction() would do CHECK_ARITY(1)
    and the expect valuePop(ctxt); to return an object, except
    now valuePop() looks at the XPath stack frames and fails returning
    NULL, and we end up crashing dereferencing the object.
    Real solution is to exten CHECK_ARITY() and recompile all
    XPath functions using it.

 include/libxml/xpathInternals.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
---
diff --git a/include/libxml/xpathInternals.h b/include/libxml/xpathInternals.h
index dcd5243..a1944ae 100644
--- a/include/libxml/xpathInternals.h
+++ b/include/libxml/xpathInternals.h
@@ -296,7 +296,9 @@ XMLPUBFUN void * XMLCALL
 #define CHECK_ARITY(x)							\
     if (ctxt == NULL) return;						\
     if (nargs != (x))							\
-        XP_ERROR(XPATH_INVALID_ARITY);
+        XP_ERROR(XPATH_INVALID_ARITY);					\
+    if (ctxt->valueNr < ctxt->valueFrame + (x))				\
+        XP_ERROR(XPATH_STACK_ERROR);
 
 /**
  * CAST_TO_STRING:

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]