shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-19 14:50:07 +03:00
Code

Check XPath stack after calling functions

Browse Source 
Check that there's exactly one return value on the stack after calling
XPath functions. Otherwise, functions that corrupt the stack without
signaling an error could lead to memory errors.

Found with libFuzzer and UBSan.
This commit is contained in:
Nick Wellnhofer 2019-03-13 18:21:02 +01:00
parent c494a0ba67
commit 236dd6ab2e
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
xpath.c
View File

@ -13431,6 +13431,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
func(ctxt, op->value);
ctxt->context->function = oldFunc;
ctxt->context->functionURI = oldFuncURI;
if ((ctxt->error == XPATH_EXPRESSION_OK) &&
(ctxt->valueNr != ctxt->valueFrame + 1))
XP_ERROR0(XPATH_STACK_ERROR);
xmlXPathPopFrame(ctxt, frame);
return (total);
}