diff options
author | Selim Gurun <sgurun@google.com> | 2011-10-31 14:51:50 -0700 |
---|---|---|
committer | Selim Gurun <sgurun@google.com> | 2011-11-01 14:38:19 -0700 |
commit | 82fe084c750cb2e6c839ec8b6aad5e2bb87c14dd (patch) | |
tree | 15cd8c278f76a550fd669f5dbc5a5decaf42c0cf | |
parent | f2da8ef9b4e7243c19e295fed847fa897e8230d3 (diff) | |
download | libxml2-ics-mr1-release.tar.gz |
Fix XPath freeing error.android-sdk-adt_r20android-sdk-4.0.3_r1android-sdk-4.0.3-tools_r1android-cts-verifier-4.0_r1android-cts-verifier-4.0.3_r1android-cts-4.0.3_r2android-cts-4.0.3_r1android-4.0.4_r2.1android-4.0.4_r2android-4.0.4_r1.2android-4.0.4_r1.1android-4.0.4_r1android-4.0.3_r1.1android-4.0.3_r1tools_r20ics-plus-aospics-mr1-release
Bug: 5533654
Applied a patch from Chrome source code to prevent potential
multiple freeing and memory corruption in XPath. This patch
will become unnecessary once we pull in new libxml2.
The Chrome changes are here:
http://codereview.chromium.org/5196003
http://codereview.chromium.org/7508039
Change-Id: I0dd573e2f8e3cfbd1290735e68e44ebb13597482
Signed-off-by: Selim Gurun <sgurun@google.com>
-rw-r--r-- | patches/XPath_freeing_error.patch | 30 | ||||
-rw-r--r-- | xpath.c | 15 |
2 files changed, 40 insertions, 5 deletions
diff --git a/patches/XPath_freeing_error.patch b/patches/XPath_freeing_error.patch new file mode 100644 index 00000000..8c94a188 --- /dev/null +++ b/patches/XPath_freeing_error.patch @@ -0,0 +1,30 @@ +This patch fixes security problems described in issue 5533654. Since the original fixes in libxml2 includes multiple amendments and are somewhat larger in scope, we limit the fix to just this particular issue to play it safe. +The patch does what Chrome does to fix it. + +Eventually, when we upgrade libxml2 library, the patch will be unnecessary. + + +--- a/xpath.c 2011-10-31 14:31:20.201049035 -0700 ++++ b/xpath.c 2011-11-01 13:50:00.751736494 -0700 +@@ -11736,11 +11736,16 @@ + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + xmlXPathObjectPtr tmp; +- /* pop the result */ +- tmp = valuePop(ctxt); +- xmlXPathReleaseObject(xpctxt, tmp); +- /* then pop off contextObj, which will be freed later */ +- valuePop(ctxt); ++ /* pop the result if any */ ++ tmp = valuePop(ctxt); ++ while (tmp != contextObj) { ++ /* ++ * Free up the result ++ * then pop off contextObj, which will be freed later ++ */ ++ xmlXPathReleaseObject(xpctxt, tmp); ++ tmp = valuePop(ctxt); ++ } + goto evaluation_error; + } + @@ -11736,11 +11736,16 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { xmlXPathObjectPtr tmp; - /* pop the result */ - tmp = valuePop(ctxt); - xmlXPathReleaseObject(xpctxt, tmp); - /* then pop off contextObj, which will be freed later */ - valuePop(ctxt); + /* pop the result if any */ + tmp = valuePop(ctxt); + while (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); + tmp = valuePop(ctxt); + } goto evaluation_error; } |