diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2016-06-25 12:35:50 +0200 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2016-06-25 14:24:51 +0200 |
commit | d8083bf77955b7879c1290f0c0a24ab8cc70f7fb (patch) | |
tree | 5169a6dc958369756be35c3843f485eda56893b0 | |
parent | 1fc55ca72b9513f1695a63d0dc4f0a250a079982 (diff) | |
download | libxml2-d8083bf77955b7879c1290f0c0a24ab8cc70f7fb.tar.gz |
Fix NULL pointer deref in XPointer range-to
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.
Found with afl-fuzz.
-rw-r--r-- | result/XPath/xptr/viderror | 4 | ||||
-rw-r--r-- | test/XPath/xptr/viderror | 1 | ||||
-rw-r--r-- | xpath.c | 7 |
3 files changed, 11 insertions, 1 deletions
diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror new file mode 100644 index 00000000..d589882d --- /dev/null +++ b/result/XPath/xptr/viderror @@ -0,0 +1,4 @@ + +======================== +Expression: xpointer(non-existing-fn()/range-to(id('chapter2'))) +Object is empty (NULL) diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror new file mode 100644 index 00000000..da8c53b2 --- /dev/null +++ b/test/XPath/xptr/viderror @@ -0,0 +1 @@ +xpointer(non-existing-fn()/range-to(id('chapter2'))) @@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) xmlNodeSetPtr oldset; int i, j; - if (op->ch1 != -1) + if (op->ch1 != -1) { total += xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); + CHECK_ERROR0; + } + if (ctxt->value == NULL) { + XP_ERROR0(XPATH_INVALID_OPERAND); + } if (op->ch2 == -1) return (total); |