summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch')
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch50
1 files changed, 50 insertions, 0 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch b/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch
new file mode 100644
index 000000000000..d2a9c3e2add5
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch
@@ -0,0 +1,50 @@
+From e905f08123e4a6e7731549e6f09dadff4cab65bd Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 26 Jun 2016 12:38:28 +0200
+Subject: Fix more NULL pointer derefs in xpointer.c
+
+Found with afl-fuzz.
+---
+ xpointer.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/xpointer.c b/xpointer.c
+index 694d120..e643ee9 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -542,7 +542,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
+ /*
+ * Empty set ...
+ */
+- if (end->nodesetval->nodeNr <= 0)
++ if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0))
+ return(NULL);
+ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
+ endIndex = -1;
+@@ -1361,7 +1361,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) {
+ */
+ xmlNodeSetPtr set;
+ set = tmp->nodesetval;
+- if ((set->nodeNr != 1) ||
++ if ((set == NULL) || (set->nodeNr != 1) ||
+ (set->nodeTab[0] != (xmlNodePtr) ctx->doc))
+ stack++;
+ } else
+@@ -2034,9 +2034,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ xmlXPathFreeObject(set);
+ XP_ERROR(XPATH_MEMORY_ERROR);
+ }
+- for (i = 0;i < oldset->locNr;i++) {
+- xmlXPtrLocationSetAdd(newset,
+- xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
++ if (oldset != NULL) {
++ for (i = 0;i < oldset->locNr;i++) {
++ xmlXPtrLocationSetAdd(newset,
++ xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
++ }
+ }
+
+ /*
+--
+cgit v0.12
+