diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2013-12-20 00:01:53 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2013-12-20 17:45:04 +0100 |
commit | 03c6723043775122313f107695066e5744189a08 (patch) | |
tree | 701e3fb5e03022c2b366a8233be05bc68b252318 | |
parent | 4d041a2e809f538c87af261f86008b6de833ca2b (diff) | |
download | android_external_libxml2-03c6723043775122313f107695066e5744189a08.tar.gz android_external_libxml2-03c6723043775122313f107695066e5744189a08.tar.bz2 android_external_libxml2-03c6723043775122313f107695066e5744189a08.zip |
Handling of XPath function arguments in error case
The XPath engine tries to guarantee that every XPath function can pop
'nargs' non-NULL values off the stack. libxslt, for example, relies on
this assumption. But the check isn't thorough enough if there are errors
during the evaluation of arguments. This can lead to segfaults:
https://mail.gnome.org/archives/xslt/2013-December/msg00005.html
This commit makes the handling of function arguments more robust.
* Bail out early when evaluation of XPath function arguments fails.
* Make sure that there are 'nargs' arguments in the current call frame.
-rw-r--r-- | xpath.c | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -13524,10 +13524,15 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) int frame; frame = xmlXPathSetFrame(ctxt); - if (op->ch1 != -1) + if (op->ch1 != -1) { total += xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); - if (ctxt->valueNr < op->value) { + if (ctxt->error != XPATH_EXPRESSION_OK) { + xmlXPathPopFrame(ctxt, frame); + return (total); + } + } + if (ctxt->valueNr < ctxt->valueFrame + op->value) { xmlGenericError(xmlGenericErrorContext, "xmlXPathCompOpEval: parameter error\n"); ctxt->error = XPATH_INVALID_OPERAND; |