Fix use-after-free in xsltApplyTemplates (50f9c9cd) · Commits · GNOME / libxslt · GitLab

Commit 50f9c9cd authored Jun 12, 2021 by

Nick Wellnhofer

Fix use-after-free in xsltApplyTemplates

xsltApplyTemplates without a select expression could delete nodes in
the source document.

1. Text nodes with strippable whitespace

Whitespace from input documents is already stripped, so there's no
need to strip it again. Under certain circumstances, xsltApplyTemplates
could be fooled into deleting text nodes that are still referenced,
resulting in a use-after-free.

2. The DTD

The DTD was only unlinked, but there's no good reason to do this just
now. Maybe it was meant as a micro-optimization.

3. Unknown nodes

Useless and dangerous as well, especially with XInclude nodes.
See libxml2#268

Simply stop trying to uselessly delete nodes when applying a template.
This part of the code is probably a leftover from a time where
xsltApplyStripSpaces wasn't implemented yet. Also note that
xsltApplyTemplates with a select expression never tried to delete
nodes.

Also stop xsltDefaultProcessOneNode from deleting nodes for the same
reasons.

This fixes CVE-2021-30560.

parent b0074eec

Pipeline #363827 passed with stage

in 14 minutes and 53 seconds

Hide whitespace changes

Inline Side-by-side

Muhammed Shahin @shahiinn
mentioned in issue #56 (closed)
· Aug 06, 2021

mentioned in issue #56 (closed)

mentioned in issue #56

Toggle commit list

Please register or to comment