# HG changeset patch # User Petr Sumbera # Date 1377547227 25200 # Node ID 76a9a8bd58ae28d3308e6e29c16567ed5599de5d # Parent 47e22e88e40cd5e03a7553347e405b79495b2ae2 16554178 problem in LIBRARY/LIBXSLT diff -r 47e22e88e40c -r 76a9a8bd58ae components/libxslt/patches/CVE-2012-6139-1.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/libxslt/patches/CVE-2012-6139-1.patch Mon Aug 26 13:00:27 2013 -0700 @@ -0,0 +1,65 @@ +From dc11b6b379a882418093ecc8adf11f6166682e8d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 21 Oct 2012 17:02:25 +0000 +Subject: Fix crash with empty xsl:key/@match attribute + +See https://bugzilla.gnome.org/show_bug.cgi?id=685328 + +Also improve some xsl:key error messages. +--- +diff --git a/libxslt/keys.c b/libxslt/keys.c +index a995338..b8f1455 100644 +--- a/libxslt/keys.c ++++ b/libxslt/keys.c +@@ -312,8 +312,8 @@ xsltAddKey(xsltStylesheetPtr style, const xmlChar *name, + end = skipPredicate(match, end); + if (end <= 0) { + xsltTransformError(NULL, style, inst, +- "key pattern is malformed: %s", +- key->match); ++ "xsl:key : 'match' pattern is malformed: %s", ++ key->match); + if (style != NULL) style->errors++; + goto error; + } +@@ -322,7 +322,7 @@ xsltAddKey(xsltStylesheetPtr style, const xmlChar *name, + } + if (current == end) { + xsltTransformError(NULL, style, inst, +- "key pattern is empty\n"); ++ "xsl:key : 'match' pattern is empty\n"); + if (style != NULL) style->errors++; + goto error; + } +@@ -345,6 +345,12 @@ xsltAddKey(xsltStylesheetPtr style, const xmlChar *name, + } + current = end; + } ++ if (pattern == NULL) { ++ xsltTransformError(NULL, style, inst, ++ "xsl:key : 'match' pattern is empty\n"); ++ if (style != NULL) style->errors++; ++ goto error; ++ } + #ifdef WITH_XSLT_DEBUG_KEYS + xsltGenericDebug(xsltGenericDebugContext, + " resulting pattern %s\n", pattern); +@@ -359,14 +365,14 @@ xsltAddKey(xsltStylesheetPtr style, cons + key->comp = xsltXPathCompile(style, pattern); + if (key->comp == NULL) { + xsltTransformError(NULL, style, inst, +- "xsl:key : XPath pattern compilation failed '%s'\n", ++ "xsl:key : 'match' pattern compilation failed '%s'\n", + pattern); + if (style != NULL) style->errors++; + } + key->usecomp = xsltXPathCompile(style, use); + if (key->usecomp == NULL) { + xsltTransformError(NULL, style, inst, +- "xsl:key : XPath pattern compilation failed '%s'\n", ++ "xsl:key : 'use' expression compilation failed '%s'\n", + use); + if (style != NULL) style->errors++; + } +-- +cgit v0.9.2 diff -r 47e22e88e40c -r 76a9a8bd58ae components/libxslt/patches/CVE-2012-6139-2.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/libxslt/patches/CVE-2012-6139-2.patch Mon Aug 26 13:00:27 2013 -0700 @@ -0,0 +1,32 @@ +From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Oct 2012 10:09:36 +0000 +Subject: Crash when passing an uninitialized variable to document() + +https://bugzilla.gnome.org/show_bug.cgi?id=685330 + +Missing check for NULL +--- +diff --git a/libxslt/functions.c b/libxslt/functions.c +index ed2c163..c754994 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -260,7 +260,7 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs) + obj = valuePop(ctxt); + ret = xmlXPathNewNodeSet(NULL); + +- if (obj->nodesetval) { ++ if ((obj != NULL) && obj->nodesetval) { + for (i = 0; i < obj->nodesetval->nodeNr; i++) { + valuePush(ctxt, + xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i])); +@@ -280,7 +280,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs) + } + } + +- xmlXPathFreeObject(obj); ++ if (obj != NULL) ++ xmlXPathFreeObject(obj); + if (obj2 != NULL) + xmlXPathFreeObject(obj2); + valuePush(ctxt, ret);