libxslt/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch

From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 17 Aug 2019 16:51:53 +0200
Subject: [PATCH] Fix dangling pointer in xsltCopyText

xsltCopyText didn't reset ctxt->lasttext in some cases which could
lead to various memory errors in relation with CDATA sections in input
documents.

Found by OSS-Fuzz.
---
 libxslt/transform.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libxslt/transform.c b/libxslt/transform.c
index 95ebd073..d7ab0b66 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
 		return NULL;
 	}
+
+	ctxt->lasttext = NULL;
     } else {
         /*
 	 * normal processing. keep counters to extend the text node
-- 
2.22.0
import libxslt-1.1.32-5.el8 2020-11-03 11:44:38 +00:00			`From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001`
			`From: Nick Wellnhofer <wellnhofer@aevum.de>`
			`Date: Sat, 17 Aug 2019 16:51:53 +0200`
			`Subject: [PATCH] Fix dangling pointer in xsltCopyText`

			`xsltCopyText didn't reset ctxt->lasttext in some cases which could`
			`lead to various memory errors in relation with CDATA sections in input`
			`documents.`

			`Found by OSS-Fuzz.`
			`---`
			`libxslt/transform.c \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/libxslt/transform.c b/libxslt/transform.c`
			`index 95ebd073..d7ab0b66 100644`
			`--- a/libxslt/transform.c`
			`+++ b/libxslt/transform.c`
			`@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,`
			`if ((copy->content = xmlStrdup(cur->content)) == NULL)`
			`return NULL;`
			`}`
			`+`
			`+ ctxt->lasttext = NULL;`
			`} else {`
			`/*`
			`* normal processing. keep counters to extend the text node`
			`--`
			`2.22.0`