44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
From 529f65b0782efbe1137b2504aa1f06504a97dd0a Mon Sep 17 00:00:00 2001
|
|
From: Michael Mann <mmann78@netscape.net>
|
|
Date: Sat, 21 Jun 2025 12:51:24 -0400
|
|
Subject: [PATCH] Schematron: Fix use after free
|
|
|
|
(CVE-2025-49794)
|
|
|
|
Fixes #931
|
|
---
|
|
schematron.c | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/schematron.c b/schematron.c
|
|
index 5c1a27bf1..e2ec06d2c 100644
|
|
--- a/schematron.c
|
|
+++ b/schematron.c
|
|
@@ -1380,8 +1380,11 @@ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
|
|
return(NULL);
|
|
|
|
if ((ret->type == XPATH_NODESET) &&
|
|
- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
|
|
+ (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) {
|
|
node = ret->nodesetval->nodeTab[0];
|
|
+ /* Clear the nodeTab so the node data isn't freed below */
|
|
+ ret->nodesetval->nodeTab[0] = NULL;
|
|
+ }
|
|
|
|
xmlXPathFreeObject(ret);
|
|
return(node);
|
|
@@ -1446,6 +1449,10 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
|
|
ret = xmlStrcat(ret, BAD_CAST ":");
|
|
ret = xmlStrcat(ret, node->name);
|
|
}
|
|
+
|
|
+ if ((path != NULL) && (node != cur))
|
|
+ xmlXPathNodeSetFreeNs((xmlNsPtr)node);
|
|
+
|
|
} else if (IS_SCHEMATRON(child, "value-of")) {
|
|
xmlChar *select;
|
|
xmlXPathObjectPtr eval;
|
|
--
|
|
GitLab
|
|
|