[libxml2] Don't follow next pointer on documents in xmlXPathRunStreamEval

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Don't follow next pointer on documents in xmlXPathRunStreamEval
Date: Wed, 24 Jun 2020 13:51:45 +0000 (UTC)

commit 9f42f6baaa91b6461ddfce345c174ea5f1ee73c3
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Jun 24 15:33:38 2020 +0200

    Don't follow next pointer on documents in xmlXPathRunStreamEval
    
    RVTs from libxslt are document nodes which are linked using the 'next'
    pointer. These pointers must never be used to navigate the document
    tree. Otherwise, random content from other RVTs could be returned
    when evaluating XPath expressions.
    
    It's interesting that this seemingly long-standing bug wasn't
    discovered earlier. This issue could also cause severe performance
    degradation.
    
    Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37

 xpath.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
---
diff --git a/xpath.c b/xpath.c
index 74848cda..a5ddb9d4 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13833,7 +13833,8 @@ scan_children:
        do {
            cur = cur->parent;
            depth--;
-           if ((cur == NULL) || (cur == limit))
+           if ((cur == NULL) || (cur == limit) ||
+                (cur->type == XML_DOCUMENT_NODE))
                goto done;
            if (cur->type == XML_ELEMENT_NODE) {
                ret = xmlStreamPop(patstream);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]