30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Veillard <veillard@redhat.com>
|
|
Date: Thu, 29 Oct 2015 19:33:23 +0800
|
|
Subject: Fix for type confusion in preprocessing attributes
|
|
|
|
CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
|
|
We need to check that the parent node is an element before dereferencing
|
|
its namespace
|
|
---
|
|
libxslt/preproc.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libxslt/preproc.c b/libxslt/preproc.c
|
|
index 0eb80a0..7f69325 100644
|
|
--- a/libxslt/preproc.c
|
|
+++ b/libxslt/preproc.c
|
|
@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
|
|
} else if (IS_XSLT_NAME(inst, "attribute")) {
|
|
xmlNodePtr parent = inst->parent;
|
|
|
|
- if ((parent == NULL) || (parent->ns == NULL) ||
|
|
+ if ((parent == NULL) ||
|
|
+ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
|
|
((parent->ns != inst->ns) &&
|
|
(!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
|
|
(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
|
|
--
|
|
cgit v0.11.2
|
|
|