libxslt: Fix handling of RVTs returned from nested EXSLT functions

Set the context variable to NULL when evaluating EXSLT functions. Fixes potential use-after-free errors or memory leaks. Fixes bug 792580 (From OE-Core rev: a997bcd3f985b65141f9b7a497581da2fd7afc10) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2018-05-16 12:59:22 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-05-22 13:13:33 +0100
commit: 669a89f377f7e41731b6920c71231269aebcb229 (patch)
tree: fcce09c6c544797c5a198f50e7419da2cdad79b1 /meta
parent: 46a8d4e8479c1f3eb136ef5c91a91ed431fa025a (diff)
download: poky-669a89f377f7e41731b6920c71231269aebcb229.tar.gz
2 files changed, 84 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch b/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch
new file mode 100644
index 0000000000..424c976d9b
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch
@@ -0,0 +1,80 @@
+libxslt-1.1.32: Fix handling of RVTs returned from nested EXSLT functions
+[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=792580
+Set the context variable to NULL when evaluating EXSLT functions.
+Fixes potential use-after-free errors or memory leaks.
+Upstream-Status: Backport [https://git.gnome.org/browse/libxslt/commit/?id=8bd32f7753ac253a54279a0b6a88d15a57076bb0]
+bug: 792580
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index dc794e3..8511cb0 100644
+--- a/libexslt/functions.c
+++ b/libexslt/functions.c
+@@ -280,6 +280,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
+     exsltFuncFunctionData *func;
+     xmlNodePtr paramNode, oldInsert, fake;
+     int oldBase;
+    void *oldCtxtVar;
+     xsltStackElemPtr params = NULL, param;
+     xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt);
+     int i, notSet;
+@@ -418,11 +419,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
+     fake = xmlNewDocNode(tctxt->output, NULL,
+                         (const xmlChar *)"fake", NULL);
+     oldInsert = tctxt->insert;
+    oldCtxtVar = tctxt->contextVariable;
+     tctxt->insert = fake;
+    tctxt->contextVariable = NULL;
+     xsltApplyOneTemplate (tctxt, tctxt->node,
+                          func->content, NULL, NULL);
+     xsltLocalVariablePop(tctxt, tctxt->varsBase, -2);
+     tctxt->insert = oldInsert;
+    tctxt->contextVariable = oldCtxtVar;
+     tctxt->varsBase = oldBase; /* restore original scope */
+     if (params != NULL)
+        xsltFreeStackElemList(params);
+diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml
+new file mode 100644
+index 0000000..69d62f2
+--- /dev/null
+++ b/tests/docs/bug-209.xml
+@@ -0,0 +1 @@
+<doc/>
+diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out
+new file mode 100644
+index 0000000..e829790
+--- /dev/null
+++ b/tests/general/bug-209.out
+@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<result/>
+diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl
+new file mode 100644
+index 0000000..fe69ac6
+--- /dev/null
+++ b/tests/general/bug-209.xsl
+@@ -0,0 +1,21 @@
+<xsl:stylesheet
+    version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:func="http://exslt.org/functions"
+    extension-element-prefixes="func">
+
+    <xsl:template match="/">
+        <xsl:variable name="v" select="func:a()" />
+        <xsl:copy-of select="$v"/>
+    </xsl:template>
+
+    <func:function name="func:a">
+        <func:result select="func:b()" />
+    </func:function>
+
+    <func:function name="func:b">
+        <func:result>
+            <result/>
+        </func:result>
+    </func:function>
+</xsl:stylesheet>
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
index 6a03f77699..f0fa5e723f 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
-SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz"
+SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
+           file://fix-rvts-handling.patch \
+           "
 SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
 SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460"
author	Andrej Valek <andrej.valek@siemens.com>	2018-05-16 12:59:22 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-05-22 13:13:33 +0100
commit	669a89f377f7e41731b6920c71231269aebcb229 (patch)
tree	fcce09c6c544797c5a198f50e7419da2cdad79b1 /meta
parent	46a8d4e8479c1f3eb136ef5c91a91ed431fa025a (diff)
download	poky-669a89f377f7e41731b6920c71231269aebcb229.tar.gz

diff --git a/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch b/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch new file mode 100644 index 0000000000..424c976d9b --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/fix-rvts-handling.patch
@@ -0,0 +1,80 @@
		1	libxslt-1.1.32: Fix handling of RVTs returned from nested EXSLT functions
		2
		3	[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=792580
		4
		5	Set the context variable to NULL when evaluating EXSLT functions.
		6	Fixes potential use-after-free errors or memory leaks.
		7
		8	Upstream-Status: Backport [https://git.gnome.org/browse/libxslt/commit/?id=8bd32f7753ac253a54279a0b6a88d15a57076bb0]
		9	bug: 792580
		10	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		11
		12	diff --git a/libexslt/functions.c b/libexslt/functions.c
		13	index dc794e3..8511cb0 100644
		14	--- a/libexslt/functions.c
		15	+++ b/libexslt/functions.c
		16	@@ -280,6 +280,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
		17	exsltFuncFunctionData *func;
		18	xmlNodePtr paramNode, oldInsert, fake;
		19	int oldBase;
		20	+ void *oldCtxtVar;
		21	xsltStackElemPtr params = NULL, param;
		22	xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt);
		23	int i, notSet;
		24	@@ -418,11 +419,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
		25	fake = xmlNewDocNode(tctxt->output, NULL,
		26	(const xmlChar *)"fake", NULL);
		27	oldInsert = tctxt->insert;
		28	+ oldCtxtVar = tctxt->contextVariable;
		29	tctxt->insert = fake;
		30	+ tctxt->contextVariable = NULL;
		31	xsltApplyOneTemplate (tctxt, tctxt->node,
		32	func->content, NULL, NULL);
		33	xsltLocalVariablePop(tctxt, tctxt->varsBase, -2);
		34	tctxt->insert = oldInsert;
		35	+ tctxt->contextVariable = oldCtxtVar;
		36	tctxt->varsBase = oldBase; /* restore original scope */
		37	if (params != NULL)
		38	xsltFreeStackElemList(params);
		39	diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml
		40	new file mode 100644
		41	index 0000000..69d62f2
		42	--- /dev/null
		43	+++ b/tests/docs/bug-209.xml
		44	@@ -0,0 +1 @@
		45	+<doc/>
		46	diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out
		47	new file mode 100644
		48	index 0000000..e829790
		49	--- /dev/null
		50	+++ b/tests/general/bug-209.out
		51	@@ -0,0 +1,2 @@
		52	+<?xml version="1.0"?>
		53	+<result/>
		54	diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl
		55	new file mode 100644
		56	index 0000000..fe69ac6
		57	--- /dev/null
		58	+++ b/tests/general/bug-209.xsl
		59	@@ -0,0 +1,21 @@
		60	+<xsl:stylesheet
		61	+ version="1.0"
		62	+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
		63	+ xmlns:func="http://exslt.org/functions"
		64	+ extension-element-prefixes="func">
		65	+
		66	+ <xsl:template match="/">
		67	+ <xsl:variable name="v" select="func:a()" />
		68	+ <xsl:copy-of select="$v"/>
		69	+ </xsl:template>
		70	+
		71	+ <func:function name="func:a">
		72	+ <func:result select="func:b()" />
		73	+ </func:function>
		74	+
		75	+ <func:function name="func:b">
		76	+ <func:result>
		77	+ <result/>
		78	+ </func:result>
		79	+ </func:function>
		80	+</xsl:stylesheet>


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb index 6a03f77699..f0fa5e723f 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
8	SECTION = "libs"	8	SECTION = "libs"
9	DEPENDS = "libxml2"	9	DEPENDS = "libxml2"
10		10
11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz"	11	SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
		12	file://fix-rvts-handling.patch \
		13	"
		14
12	SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"	15	SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
13	SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460"	16	SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460"
14		17