diff options
| author | Daniel Veillard <veillard@redhat.com> | 2012-08-27 16:20:05 +0800 |
|---|---|---|
| committer | Daniel Veillard <veillard@redhat.com> | 2012-08-27 16:20:05 +0800 |
| commit | 8880170e2187d2041c81418711250841d264af02 (patch) | |
| tree | 31c4e4f42f5bbe769e1560b335bf85a9323f19f1 /include | |
| parent | 890faa546bf386816dea59d0f1075bc3a42de263 (diff) | |
| download | android_external_libxml2-8880170e2187d2041c81418711250841d264af02.tar.gz android_external_libxml2-8880170e2187d2041c81418711250841d264af02.tar.bz2 android_external_libxml2-8880170e2187d2041c81418711250841d264af02.zip | |
Fix the XPath arity check to also check the XPath stack limits
Example xmlXPathNormalizeFunction() would do CHECK_ARITY(1)
and the expect valuePop(ctxt); to return an object, except
now valuePop() looks at the XPath stack frames and fails returning
NULL, and we end up crashing dereferencing the object.
Real solution is to exten CHECK_ARITY() and recompile all
XPath functions using it.
Diffstat (limited to 'include')
| -rw-r--r-- | include/libxml/xpathInternals.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/include/libxml/xpathInternals.h b/include/libxml/xpathInternals.h index dcd52434..a1944ae1 100644 --- a/include/libxml/xpathInternals.h +++ b/include/libxml/xpathInternals.h @@ -296,7 +296,9 @@ XMLPUBFUN void * XMLCALL #define CHECK_ARITY(x) \ if (ctxt == NULL) return; \ if (nargs != (x)) \ - XP_ERROR(XPATH_INVALID_ARITY); + XP_ERROR(XPATH_INVALID_ARITY); \ + if (ctxt->valueNr < ctxt->valueFrame + (x)) \ + XP_ERROR(XPATH_STACK_ERROR); /** * CAST_TO_STRING: |