current/SOURCES/libxslt-CVE-2012-6139.patch

Description: fix denial of service via malformed stylesheet
Origin: backport, http://git.gnome.org/browse/libxslt/commit/?id=dc11b6b379a882418093ecc8adf11f6166682e8d
Origin: backport, http://git.gnome.org/browse/libxslt/commit/?id=6c99c519d97e5fcbec7a9537d190efb442e4e833
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=685328
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=685330
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703933

Index: libxslt-1.1.26/libxslt/functions.c
===================================================================
--- libxslt-1.1.26.orig/libxslt/functions.c     2013-03-28 13:01:33.052454020 -0400
+++ libxslt-1.1.26/libxslt/functions.c  2013-03-28 13:01:33.048454019 -0400
@@ -260,7 +260,7 @@
         obj = valuePop(ctxt);
         ret = xmlXPathNewNodeSet(NULL);
 
-        if (obj->nodesetval) {
+        if ((obj != NULL) && obj->nodesetval) {
             for (i = 0; i < obj->nodesetval->nodeNr; i++) {
                 valuePush(ctxt,
                           xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
@@ -280,7 +280,8 @@
             }
         }
 
-        xmlXPathFreeObject(obj);
+        if (obj != NULL)
+            xmlXPathFreeObject(obj);
         if (obj2 != NULL)
             xmlXPathFreeObject(obj2);
         valuePush(ctxt, ret);
Index: libxslt-1.1.26/libxslt/keys.c
===================================================================
--- libxslt-1.1.26.orig/libxslt/keys.c  2013-03-28 13:01:33.052454020 -0400
+++ libxslt-1.1.26/libxslt/keys.c       2013-03-28 13:01:33.048454019 -0400
@@ -311,8 +311,8 @@
                end = skipPredicate(match, end);
                if (end <= 0) {
                    xsltTransformError(NULL, style, inst,
-                                      "key pattern is malformed: %s",
-                                      key->match);
+                       "xsl:key : 'match' pattern is malformed: %s",
+                       key->match);
                    if (style != NULL) style->errors++;
                    goto error;
                }
@@ -321,7 +321,7 @@
        }
        if (current == end) {
            xsltTransformError(NULL, style, inst,
-                              "key pattern is empty\n");
+                              "xsl:key : 'match' pattern is empty\n");
            if (style != NULL) style->errors++;
            goto error;
        }
@@ -344,6 +344,12 @@
        }
        current = end;
     }
+    if (pattern == NULL) {
+        xsltTransformError(NULL, style, inst,
+                           "xsl:key : 'match' pattern is empty\n");
+        if (style != NULL) style->errors++;
+        goto error;
+    }
 #ifdef WITH_XSLT_DEBUG_KEYS
     xsltGenericDebug(xsltGenericDebugContext,
        "   resulting pattern %s\n", pattern);
@@ -359,14 +365,14 @@
     key->comp = xsltXPathCompile(style, pattern);
     if (key->comp == NULL) {
        xsltTransformError(NULL, style, inst,
-               "xsl:key : XPath pattern compilation failed '%s'\n",
+               "xsl:key : 'match' pattern compilation failed '%s'\n",
                         pattern);
        if (style != NULL) style->errors++;
     }
     key->usecomp = xsltXPathCompile(style, use);
     if (key->usecomp == NULL) {
        xsltTransformError(NULL, style, inst,
-               "xsl:key : XPath pattern compilation failed '%s'\n",
+               "xsl:key : 'use' expression compilation failed '%s'\n",
                         use);
        if (style != NULL) style->errors++;
     }
Index: libxslt-1.1.26/tests/docs/Makefile.am
===================================================================
--- libxslt-1.1.26.orig/tests/docs/Makefile.am  2013-03-28 13:01:33.052454020 -0400
+++ libxslt-1.1.26/tests/docs/Makefile.am       2013-03-28 13:01:33.048454019 -0400
@@ -168,6 +168,7 @@
        bug-167.xml \
        bug-168.xml \
        bug-169.xml \
+       bug-180.xml \
        character.xml \
        array.xml \
        items.xml
Index: libxslt-1.1.26/tests/docs/bug-180.xml
===================================================================
--- /dev/null   1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.26/tests/docs/bug-180.xml       2013-03-28 13:01:33.048454019 -0400
@@ -0,0 +1,2 @@
+<doc/>
+
Index: libxslt-1.1.26/tests/general/Makefile.am
===================================================================
--- libxslt-1.1.26.orig/tests/general/Makefile.am       2013-03-28 13:01:33.052454020 -0400
+++ libxslt-1.1.26/tests/general/Makefile.am    2013-03-28 13:01:50.948454478 -0400
@@ -177,6 +177,7 @@
     bug-167.out bug-167.xsl \
     bug-168.out bug-168.xsl \
     bug-169.out bug-169.xsl bug-169.imp \
+    bug-180.out bug-180.xsl bug-180.err \
     character.out character.xsl \
     character2.out character2.xsl \
     itemschoose.out itemschoose.xsl \
Index: libxslt-1.1.26/tests/general/bug-180.err
===================================================================
--- /dev/null   1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.26/tests/general/bug-180.err    2013-03-28 13:01:33.052454020 -0400
@@ -0,0 +1,4 @@
+runtime error: file ./bug-180.xsl line 4 element copy-of
+Variable 'xxx' has not been declared.
+XPath error : Stack usage errror
+xmlXPathCompiledEval: 1 objects left on the stack.
Index: libxslt-1.1.26/tests/general/bug-180.xsl
===================================================================
--- /dev/null   1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.26/tests/general/bug-180.xsl    2013-03-28 13:01:33.052454020 -0400
@@ -0,0 +1,8 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+  <xsl:template match="/">
+      <xsl:copy-of select=" * | document($xxx) "/>
+  </xsl:template>
+
+</xsl:stylesheet>
+
1	Description: fix denial of service via malformed stylesheet
2	Origin: backport, http://git.gnome.org/browse/libxslt/commit/?id=dc11b6b379a882418093ecc8adf11f6166682e8d
3	Origin: backport, http://git.gnome.org/browse/libxslt/commit/?id=6c99c519d97e5fcbec7a9537d190efb442e4e833
4	Bug: https://bugzilla.gnome.org/show_bug.cgi?id=685328
5	Bug: https://bugzilla.gnome.org/show_bug.cgi?id=685330
6	Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703933
7
8	Index: libxslt-1.1.26/libxslt/functions.c
9	===================================================================
10	--- libxslt-1.1.26.orig/libxslt/functions.c 2013-03-28 13:01:33.052454020 -0400
11	+++ libxslt-1.1.26/libxslt/functions.c 2013-03-28 13:01:33.048454019 -0400
12	@@ -260,7 +260,7 @@
13	obj = valuePop(ctxt);
14	ret = xmlXPathNewNodeSet(NULL);
15
16	- if (obj->nodesetval) {
17	+ if ((obj != NULL) && obj->nodesetval) {
18	for (i = 0; i < obj->nodesetval->nodeNr; i++) {
19	valuePush(ctxt,
20	xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
21	@@ -280,7 +280,8 @@
22	}
23	}
24
25	- xmlXPathFreeObject(obj);
26	+ if (obj != NULL)
27	+ xmlXPathFreeObject(obj);
28	if (obj2 != NULL)
29	xmlXPathFreeObject(obj2);
30	valuePush(ctxt, ret);
31	Index: libxslt-1.1.26/libxslt/keys.c
32	===================================================================
33	--- libxslt-1.1.26.orig/libxslt/keys.c 2013-03-28 13:01:33.052454020 -0400
34	+++ libxslt-1.1.26/libxslt/keys.c 2013-03-28 13:01:33.048454019 -0400
35	@@ -311,8 +311,8 @@
36	end = skipPredicate(match, end);
37	if (end <= 0) {
38	xsltTransformError(NULL, style, inst,
39	- "key pattern is malformed: %s",
40	- key->match);
41	+ "xsl:key : 'match' pattern is malformed: %s",
42	+ key->match);
43	if (style != NULL) style->errors++;
44	goto error;
45	}
46	@@ -321,7 +321,7 @@
47	}
48	if (current == end) {
49	xsltTransformError(NULL, style, inst,
50	- "key pattern is empty\n");
51	+ "xsl:key : 'match' pattern is empty\n");
52	if (style != NULL) style->errors++;
53	goto error;
54	}
55	@@ -344,6 +344,12 @@
56	}
57	current = end;
58	}
59	+ if (pattern == NULL) {
60	+ xsltTransformError(NULL, style, inst,
61	+ "xsl:key : 'match' pattern is empty\n");
62	+ if (style != NULL) style->errors++;
63	+ goto error;
64	+ }
65	#ifdef WITH_XSLT_DEBUG_KEYS
66	xsltGenericDebug(xsltGenericDebugContext,
67	" resulting pattern %s\n", pattern);
68	@@ -359,14 +365,14 @@
69	key->comp = xsltXPathCompile(style, pattern);
70	if (key->comp == NULL) {
71	xsltTransformError(NULL, style, inst,
72	- "xsl:key : XPath pattern compilation failed '%s'\n",
73	+ "xsl:key : 'match' pattern compilation failed '%s'\n",
74	pattern);
75	if (style != NULL) style->errors++;
76	}
77	key->usecomp = xsltXPathCompile(style, use);
78	if (key->usecomp == NULL) {
79	xsltTransformError(NULL, style, inst,
80	- "xsl:key : XPath pattern compilation failed '%s'\n",
81	+ "xsl:key : 'use' expression compilation failed '%s'\n",
82	use);
83	if (style != NULL) style->errors++;
84	}
85	Index: libxslt-1.1.26/tests/docs/Makefile.am
86	===================================================================
87	--- libxslt-1.1.26.orig/tests/docs/Makefile.am 2013-03-28 13:01:33.052454020 -0400
88	+++ libxslt-1.1.26/tests/docs/Makefile.am 2013-03-28 13:01:33.048454019 -0400
89	@@ -168,6 +168,7 @@
90	bug-167.xml \
91	bug-168.xml \
92	bug-169.xml \
93	+ bug-180.xml \
94	character.xml \
95	array.xml \
96	items.xml
97	Index: libxslt-1.1.26/tests/docs/bug-180.xml
98	===================================================================
99	--- /dev/null 1970-01-01 00:00:00.000000000 +0000
100	+++ libxslt-1.1.26/tests/docs/bug-180.xml 2013-03-28 13:01:33.048454019 -0400
101	@@ -0,0 +1,2 @@
102	+<doc/>
103	+
104	Index: libxslt-1.1.26/tests/general/Makefile.am
105	===================================================================
106	--- libxslt-1.1.26.orig/tests/general/Makefile.am 2013-03-28 13:01:33.052454020 -0400
107	+++ libxslt-1.1.26/tests/general/Makefile.am 2013-03-28 13:01:50.948454478 -0400
108	@@ -177,6 +177,7 @@
109	bug-167.out bug-167.xsl \
110	bug-168.out bug-168.xsl \
111	bug-169.out bug-169.xsl bug-169.imp \
112	+ bug-180.out bug-180.xsl bug-180.err \
113	character.out character.xsl \
114	character2.out character2.xsl \
115	itemschoose.out itemschoose.xsl \
116	Index: libxslt-1.1.26/tests/general/bug-180.err
117	===================================================================
118	--- /dev/null 1970-01-01 00:00:00.000000000 +0000
119	+++ libxslt-1.1.26/tests/general/bug-180.err 2013-03-28 13:01:33.052454020 -0400
120	@@ -0,0 +1,4 @@
121	+runtime error: file ./bug-180.xsl line 4 element copy-of
122	+Variable 'xxx' has not been declared.
123	+XPath error : Stack usage errror
124	+xmlXPathCompiledEval: 1 objects left on the stack.
125	Index: libxslt-1.1.26/tests/general/bug-180.xsl
126	===================================================================
127	--- /dev/null 1970-01-01 00:00:00.000000000 +0000
128	+++ libxslt-1.1.26/tests/general/bug-180.xsl 2013-03-28 13:01:33.052454020 -0400
129	@@ -0,0 +1,8 @@
130	+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
131	+
132	+ <xsl:template match="/">
133	+ <xsl:copy-of select=" * \| document($xxx) "/>
134	+ </xsl:template>
135	+
136	+</xsl:stylesheet>
137	+