You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 lines
2.5 KiB
64 lines
2.5 KiB
7 years ago
|
From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Veillard <veillard@redhat.com>
|
||
|
Date: Wed, 7 Jun 2017 16:47:36 +0200
|
||
|
Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent
|
||
|
|
||
|
Can only be triggered in recovery mode.
|
||
|
|
||
|
Fixes bug 758422 (CVE-2017-5969).
|
||
|
---
|
||
|
valid.c | 24 ++++++++++++++----------
|
||
|
1 file changed, 14 insertions(+), 10 deletions(-)
|
||
|
|
||
|
diff --git a/valid.c b/valid.c
|
||
|
index 19f84b82..0a8e58ab 100644
|
||
|
--- a/valid.c
|
||
|
+++ b/valid.c
|
||
|
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
|
||
|
xmlBufferWriteCHAR(buf, content->name);
|
||
|
break;
|
||
|
case XML_ELEMENT_CONTENT_SEQ:
|
||
|
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||
|
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
|
||
|
+ if ((content->c1 != NULL) &&
|
||
|
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||
|
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
|
||
|
xmlDumpElementContent(buf, content->c1, 1);
|
||
|
else
|
||
|
xmlDumpElementContent(buf, content->c1, 0);
|
||
|
xmlBufferWriteChar(buf, " , ");
|
||
|
- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
|
||
|
- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
|
||
|
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
|
||
|
+ if ((content->c2 != NULL) &&
|
||
|
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
|
||
|
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
|
||
|
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
|
||
|
xmlDumpElementContent(buf, content->c2, 1);
|
||
|
else
|
||
|
xmlDumpElementContent(buf, content->c2, 0);
|
||
|
break;
|
||
|
case XML_ELEMENT_CONTENT_OR:
|
||
|
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||
|
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
|
||
|
+ if ((content->c1 != NULL) &&
|
||
|
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||
|
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
|
||
|
xmlDumpElementContent(buf, content->c1, 1);
|
||
|
else
|
||
|
xmlDumpElementContent(buf, content->c1, 0);
|
||
|
xmlBufferWriteChar(buf, " | ");
|
||
|
- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
|
||
|
- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
|
||
|
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
|
||
|
+ if ((content->c2 != NULL) &&
|
||
|
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
|
||
|
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
|
||
|
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
|
||
|
xmlDumpElementContent(buf, content->c2, 1);
|
||
|
else
|
||
|
xmlDumpElementContent(buf, content->c2, 0);
|
||
|
--
|
||
|
2.14.1
|
||
|
|