Overview

File libxml2-NULL-deref-xpointer.patch of Package libxml2.17679

From e905f08123e4a6e7731549e6f09dadff4cab65bd Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 26 Jun 2016 12:38:28 +0200
Subject: Fix more NULL pointer derefs in xpointer.c

Found with afl-fuzz.
---
 xpointer.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

Index: libxml2-2.9.4/xpointer.c
===================================================================
--- libxml2-2.9.4.orig/xpointer.c
+++ libxml2-2.9.4/xpointer.c
@@ -555,7 +555,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr sta
 	    /*
 	     * Empty set ...
 	     */
-	    if (end->nodesetval->nodeNr <= 0)
+	    if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0))
 		return(NULL);
 	    break;
 	default:
@@ -1400,7 +1400,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPath
 		     */
 		    xmlNodeSetPtr set;
 		    set = tmp->nodesetval;
-		    if ((set->nodeNr != 1) ||
+		    if ((set == NULL) || (set->nodeNr != 1) ||
 			(set->nodeTab[0] != (xmlNodePtr) ctx->doc))
 			stack++;
 		} else
@@ -2073,9 +2073,11 @@ xmlXPtrRangeFunction(xmlXPathParserConte
 	xmlXPathFreeObject(set);
         XP_ERROR(XPATH_MEMORY_ERROR);
     }
-    for (i = 0;i < oldset->locNr;i++) {
-	xmlXPtrLocationSetAdd(newset,
-		xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
+    if (oldset != NULL){
+      for (i = 0;i < oldset->locNr;i++) {
+	  xmlXPtrLocationSetAdd(newset,
+		  xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
+      }
     }
 
     /*
openSUSE Build Service is sponsored by
Places