56 lines
1.8 KiB
Diff
56 lines
1.8 KiB
Diff
From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Thu, 5 Dec 2024 12:43:19 +0100
|
|
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
|
|
|
|
Definitions of excluded namespaces could be deleted in
|
|
xsltParseTemplateContent. Store excluded namespace URIs in the
|
|
stylesheet's dictionary instead of referencing the namespace definition.
|
|
|
|
Thanks to Ivan Fratric for the report!
|
|
|
|
Fixes #127.
|
|
---
|
|
libxslt/xslt.c | 22 +++++++++++-----------
|
|
1 file changed, 11 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
|
index 7a1ce011..4f975cd2 100644
|
|
--- a/libxslt/xslt.c
|
|
+++ b/libxslt/xslt.c
|
|
@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
|
|
* in case of error
|
|
*/
|
|
static int
|
|
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
|
|
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
|
|
{
|
|
+ xmlChar *value;
|
|
int i;
|
|
|
|
- if (style->exclPrefixMax == 0) {
|
|
- style->exclPrefixMax = 4;
|
|
- style->exclPrefixTab =
|
|
- (xmlChar * *)xmlMalloc(style->exclPrefixMax *
|
|
- sizeof(style->exclPrefixTab[0]));
|
|
- if (style->exclPrefixTab == NULL) {
|
|
- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
|
|
- return (-1);
|
|
- }
|
|
- }
|
|
+ /*
|
|
+ * orig can come from a namespace definition on a node which
|
|
+ * could be deleted later, for example in xsltParseTemplateContent.
|
|
+ * Store the string in stylesheet's dict to avoid use after free.
|
|
+ */
|
|
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
|
|
+ if (value == NULL)
|
|
+ return(-1);
|
|
+
|
|
/* do not push duplicates */
|
|
for (i = 0;i < style->exclPrefixNr;i++) {
|
|
if (xmlStrEqual(style->exclPrefixTab[i], value))
|
|
--
|
|
2.49.0
|
|
|