[xslt] [PATCH 3/3] Fix NULL deref through valuePop retval: {e, }xslt*
- From: Jan Pokorný <jpokorny redhat com>
- To: xslt gnome org
- Subject: [xslt] [PATCH 3/3] Fix NULL deref through valuePop retval: {e, }xslt*
- Date: Wed, 18 Dec 2013 23:20:12 +0100
This fixes the rest of possible NULL pointer dereferences (connected with
using valuePop'd return values without prior checks) as per patch
instantiated from a following semantic patch (spatch/coccinelle):
// Fix possible NULL deref for valuePop retval
// jpokorny redhat com
@incl@
@@
#include <libxml/xpathInternals.h>
@voidfn depends on incl exists@
expression E;
identifier fn, f, item;
statement S1, S2;
@@
void fn (...) {
<...
E = valuePop(...);
+ if (E == NULL) return;
... when != if (E == NULL) S1 else S2
(
E->item;
|
E->item
)
...>
}
// for cases the function is non-void (which implicitly supposes
// a pointer as a return value rather than anything else);
// not found helpful in libxslt case presently anyway
//@nonvoidfn depends on incl exists@
//expression E;
//identifier fn != voidfn.fn, f, item;
//statement S1, S2;
//@@
//fn (...) {
//<...
//E = valuePop(...);
//+ if (E == NULL) return NULL;
//... when != if (E == NULL) S1 else S2
//(
//E->item;
//|
//E->item
//)
//...>
//}
Signed-off-by: Jan Pokorný <jpokorny redhat com>
---
libexslt/common.c | 2 ++
libexslt/saxon.c | 2 ++
libexslt/strings.c | 2 ++
libxslt/functions.c | 28 ++++++++++++++++++++++++++++
4 files changed, 34 insertions(+)
diff --git a/libexslt/common.c b/libexslt/common.c
index 451a60d..aecacb7 100644
--- a/libexslt/common.c
+++ b/libexslt/common.c
@@ -84,6 +84,8 @@ exsltObjectTypeFunction (xmlXPathParserContextPtr ctxt, int nargs) {
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
switch (obj->type) {
case XPATH_STRING:
diff --git a/libexslt/saxon.c b/libexslt/saxon.c
index e92ba8d..0a729eb 100644
--- a/libexslt/saxon.c
+++ b/libexslt/saxon.c
@@ -243,6 +243,8 @@ exsltSaxonLineNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) {
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
nodelist = obj->nodesetval;
if ((nodelist == NULL) || (nodelist->nodeNr <= 0)) {
xmlXPathFreeObject(obj);
diff --git a/libexslt/strings.c b/libexslt/strings.c
index 3c702ad..188bdc9 100644
--- a/libexslt/strings.c
+++ b/libexslt/strings.c
@@ -486,6 +486,8 @@ exsltStrConcatFunction (xmlXPathParserContextPtr ctxt, int nargs) {
}
obj = valuePop (ctxt);
+ if (obj == NULL)
+ return;
if (xmlXPathNodeSetIsEmpty(obj->nodesetval)) {
xmlXPathReturnEmptyString(ctxt);
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 4a5475d..d6e8aa8 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -251,6 +251,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
}
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
}
if (ctxt->value->type == XPATH_NODESET) {
@@ -258,6 +260,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
xmlXPathObjectPtr newobj, ret;
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
ret = xmlXPathNewNodeSet(NULL);
if ((obj != NULL) && obj->nodesetval) {
@@ -274,6 +278,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
}
xsltDocumentFunction(ctxt, 2);
newobj = valuePop(ctxt);
+ if (newobj == NULL)
+ return;
ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval,
newobj->nodesetval);
xmlXPathFreeObject(newobj);
@@ -300,6 +306,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->stringval == NULL) {
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
} else {
@@ -370,6 +378,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
* Get the key's value.
*/
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
xmlXPathStringFunction(ctxt, 1);
if ((obj2 == NULL) ||
(ctxt->value == NULL) || (ctxt->value->type != XPATH_STRING)) {
@@ -401,6 +411,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
xmlXPathStringFunction(ctxt, 1);
xsltKeyFunction(ctxt, 2);
newobj = valuePop(ctxt);
+ if (newobj == NULL)
+ return;
ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval,
newobj->nodesetval);
xmlXPathFreeObject(newobj);
@@ -466,6 +478,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
goto error;
}
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
value = obj2->stringval;
/*
@@ -566,6 +580,8 @@ xsltUnparsedEntityURIFunction(xmlXPathParserContextPtr ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->type != XPATH_STRING) {
obj = xmlXPathConvertString(obj);
}
@@ -620,6 +636,8 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
case 3:
CAST_TO_STRING;
decimalObj = valuePop(ctxt);
+ if (decimalObj == NULL)
+ return;
formatValues = xsltDecimalFormatGetByName(sheet, decimalObj->stringval);
if (formatValues == NULL) {
xsltTransformError(tctxt, NULL, NULL,
@@ -630,8 +648,12 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
case 2:
CAST_TO_STRING;
formatObj = valuePop(ctxt);
+ if (formatObj == NULL)
+ return;
CAST_TO_NUMBER;
numberObj = valuePop(ctxt);
+ if (numberObj == NULL)
+ return;
break;
default:
XP_ERROR(XPATH_INVALID_ARITY);
@@ -757,6 +779,8 @@ xsltSystemPropertyFunction(xmlXPathParserContextPtr ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->stringval == NULL) {
valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
} else {
@@ -853,6 +877,8 @@ xsltElementAvailableFunction(xmlXPathParserContextPtr ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
tctxt = xsltXPathGetTransformContext(ctxt);
if (tctxt == NULL) {
xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
@@ -919,6 +945,8 @@ xsltFunctionAvailableFunction(xmlXPathParserContextPtr ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
name = xmlSplitQName2(obj->stringval, &prefix);
if (name == NULL) {
--
1.8.1.4
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
