From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 21 Mar 2023 12:19:50 +0100 Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush Found by OSS-Fuzz, see #84. --- libxslt/xslt.c | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 7a1ce011..6d4126a1 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) { int i; - if (style->exclPrefixMax == 0) { - style->exclPrefixMax = 4; - style->exclPrefixTab = - (xmlChar * *)xmlMalloc(style->exclPrefixMax * - sizeof(style->exclPrefixTab[0])); - if (style->exclPrefixTab == NULL) { - xmlGenericError(xmlGenericErrorContext, "malloc failed !\n"); - return (-1); - } - } /* do not push duplicates */ for (i = 0;i < style->exclPrefixNr;i++) { if (xmlStrEqual(style->exclPrefixTab[i], value)) return(-1); } if (style->exclPrefixNr >= style->exclPrefixMax) { - style->exclPrefixMax *= 2; - style->exclPrefixTab = - (xmlChar * *)xmlRealloc(style->exclPrefixTab, - style->exclPrefixMax * - sizeof(style->exclPrefixTab[0])); - if (style->exclPrefixTab == NULL) { + xmlChar **tmp; + size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4; + + tmp = xmlRealloc(style->exclPrefixTab, + max * sizeof(style->exclPrefixTab[0])); + if (tmp == NULL) { xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); return (-1); } + style->exclPrefixTab = tmp; + style->exclPrefixMax = max; } style->exclPrefixTab[style->exclPrefixNr] = value; style->exclPrefix = value; -- 2.49.0 From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 5 Dec 2024 12:43:19 +0100 Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces Definitions of excluded namespaces could be deleted in xsltParseTemplateContent. Store excluded namespace URIs in the stylesheet's dictionary instead of referencing the namespace definition. Thanks to Ivan Fratric for the report! Fixes #127. --- libxslt/xslt.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 6d4126a1..11681a13 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style, * in case of error */ static int -exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) +exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) { + xmlChar *value; int i; + /* + * orig can come from a namespace definition on a node which + * could be deleted later, for example in xsltParseTemplateContent. + * Store the string in stylesheet's dict to avoid use after free. + */ + value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); + if (value == NULL) + return(-1); + /* do not push duplicates */ for (i = 0;i < style->exclPrefixNr;i++) { if (xmlStrEqual(style->exclPrefixTab[i], value)) -- 2.49.0