1 files changed, 42 insertions, 0 deletions

diff --git a/main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch b/main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch
new file mode 100644
index 0000000000..e943e79045
--- /dev/null
+++ b/main/libxslt/Transfer-XPath-limits-to-XPtr-context.patch
@@ -0,0 +1,42 @@
+From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 17 Aug 2020 04:27:13 +0200
+Subject: [PATCH] Transfer XPath limits to XPtr context
+
+Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
+XPath limits.
+---
+ libxslt/functions.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index b350545a..975ea790 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ 	goto out_fragment;
+     }
+ 
++#if LIBXML_VERSION >= 20911 || \
++    defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
++    xptrctxt->opLimit = ctxt->context->opLimit;
++    xptrctxt->opCount = ctxt->context->opCount;
++    xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
++
++    resObj = xmlXPtrEval(fragment, xptrctxt);
++
++    ctxt->context->opCount = xptrctxt->opCount;
++#else
+     resObj = xmlXPtrEval(fragment, xptrctxt);
+-    xmlXPathFreeContext(xptrctxt);
+ #endif
+ 
++    xmlXPathFreeContext(xptrctxt);
++#endif /* LIBXML_XPTR_ENABLED */
++
+     if (resObj == NULL)
+ 	goto out_fragment;
+ 
+-- 
+GitLab
+