Overview

File libxslt-CVE-2012-6139.patch of Package libxslt.openSUSE_12.1_Update

From dc11b6b379a882418093ecc8adf11f6166682e8d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 21 Oct 2012 17:02:25 +0000
Subject: Fix crash with empty xsl:key/@match attribute

See https://bugzilla.gnome.org/show_bug.cgi?id=685328

Also improve some xsl:key error messages.

From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 10 Oct 2012 10:09:36 +0000
Subject: Crash when passing an uninitialized variable to document()

https://bugzilla.gnome.org/show_bug.cgi?id=685330

Missing check for NULL
---
Index: libxslt-1.1.26/libxslt/keys.c
===================================================================
--- libxslt-1.1.26.orig/libxslt/keys.c	2013-03-26 11:58:20.518990106 +0100
+++ libxslt-1.1.26/libxslt/keys.c	2013-03-26 11:58:21.717026395 +0100
@@ -311,8 +311,8 @@ xsltAddKey(xsltStylesheetPtr style, cons
 	        end = skipPredicate(match, end);
 		if (end <= 0) {
 		    xsltTransformError(NULL, style, inst,
-		                       "key pattern is malformed: %s",
-				       key->match);
+		        "xsl:key : 'match' pattern is malformed: %s",
+		        key->match);
 		    if (style != NULL) style->errors++;
 		    goto error;
 		}
@@ -321,7 +321,7 @@ xsltAddKey(xsltStylesheetPtr style, cons
 	}
 	if (current == end) {
 	    xsltTransformError(NULL, style, inst,
-			       "key pattern is empty\n");
+			       "xsl:key : 'match' pattern is empty\n");
 	    if (style != NULL) style->errors++;
 	    goto error;
 	}
@@ -344,6 +344,12 @@ xsltAddKey(xsltStylesheetPtr style, cons
 	}
 	current = end;
     }
+    if (pattern == NULL) {
+        xsltTransformError(NULL, style, inst,
+                           "xsl:key : 'match' pattern is empty\n");
+        if (style != NULL) style->errors++;
+        goto error;
+    }
 #ifdef WITH_XSLT_DEBUG_KEYS
     xsltGenericDebug(xsltGenericDebugContext,
 	"   resulting pattern %s\n", pattern);
@@ -359,14 +365,14 @@ xsltAddKey(xsltStylesheetPtr style, cons
     key->comp = xsltXPathCompile(style, pattern);
     if (key->comp == NULL) {
 	xsltTransformError(NULL, style, inst,
-		"xsl:key : XPath pattern compilation failed '%s'\n",
+		"xsl:key : 'match' pattern compilation failed '%s'\n",
 		         pattern);
 	if (style != NULL) style->errors++;
     }
     key->usecomp = xsltXPathCompile(style, use);
     if (key->usecomp == NULL) {
 	xsltTransformError(NULL, style, inst,
-		"xsl:key : XPath pattern compilation failed '%s'\n",
+		"xsl:key : 'use' expression compilation failed '%s'\n",
 		         use);
 	if (style != NULL) style->errors++;
     }
Index: libxslt-1.1.26/libxslt/functions.c
===================================================================
--- libxslt-1.1.26.orig/libxslt/functions.c	2013-03-26 11:58:20.519990136 +0100
+++ libxslt-1.1.26/libxslt/functions.c	2013-03-26 11:58:21.718026425 +0100
@@ -260,7 +260,7 @@ xsltDocumentFunction(xmlXPathParserConte
         obj = valuePop(ctxt);
         ret = xmlXPathNewNodeSet(NULL);
 
-        if (obj->nodesetval) {
+        if ((obj != NULL) && obj->nodesetval) {
             for (i = 0; i < obj->nodesetval->nodeNr; i++) {
                 valuePush(ctxt,
                           xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
@@ -280,7 +280,8 @@ xsltDocumentFunction(xmlXPathParserConte
             }
         }
 
-        xmlXPathFreeObject(obj);
+        if (obj != NULL)
+            xmlXPathFreeObject(obj);
         if (obj2 != NULL)
             xmlXPathFreeObject(obj2);
         valuePush(ctxt, ret);
Index: libxslt-1.1.26/tests/docs/bug-180.xml
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.26/tests/docs/bug-180.xml	2013-03-26 11:58:21.719026455 +0100
@@ -0,0 +1,2 @@
+<doc/>
+
Index: libxslt-1.1.26/tests/general/bug-180.err
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.26/tests/general/bug-180.err	2013-03-26 11:58:21.720026486 +0100
@@ -0,0 +1,4 @@
+runtime error: file ./bug-180.xsl line 4 element copy-of
+Variable 'xxx' has not been declared.
+XPath error : Stack usage errror
+xmlXPathCompiledEval: 1 objects left on the stack.
Index: libxslt-1.1.26/tests/general/bug-180.xsl
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.26/tests/general/bug-180.xsl	2013-03-26 11:58:21.721026516 +0100
@@ -0,0 +1,8 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+  <xsl:template match="/">
+      <xsl:copy-of select=" * | document($xxx) "/>
+  </xsl:template>
+
+</xsl:stylesheet>
+
openSUSE Build Service is sponsored by
Places