[libxml2] Fix NULL pointer deref in xmlDumpElementContent

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix NULL pointer deref in xmlDumpElementContent
Date: Wed, 7 Jun 2017 18:07:21 +0000 (UTC)

commit 94691dc884d1a8ada39f073408b4bb92fe7fe882
Author: Daniel Veillard <veillard redhat com>
Date:   Wed Jun 7 16:47:36 2017 +0200

    Fix NULL pointer deref in xmlDumpElementContent
    
    Can only be triggered in recovery mode.
    
    Fixes bug 758422 (CVE-2017-5969).

 valid.c |   24 ++++++++++++++----------
 1 files changed, 14 insertions(+), 10 deletions(-)
---
diff --git a/valid.c b/valid.c
index 9b2df56..8075d3a 100644
--- a/valid.c
+++ b/valid.c
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
            xmlBufferWriteCHAR(buf, content->name);
            break;
        case XML_ELEMENT_CONTENT_SEQ:
-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
                xmlDumpElementContent(buf, content->c1, 1);
            else
                xmlDumpElementContent(buf, content->c1, 0);
             xmlBufferWriteChar(buf, " , ");
-           if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
-               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
                xmlDumpElementContent(buf, content->c2, 1);
            else
                xmlDumpElementContent(buf, content->c2, 0);
            break;
        case XML_ELEMENT_CONTENT_OR:
-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
                xmlDumpElementContent(buf, content->c1, 1);
            else
                xmlDumpElementContent(buf, content->c1, 0);
             xmlBufferWriteChar(buf, " | ");
-           if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
-               ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
                xmlDumpElementContent(buf, content->c2, 1);
            else
                xmlDumpElementContent(buf, content->c2, 0);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]