blob: e943e7904594441d26f6630b55de7995d9f239d3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 17 Aug 2020 04:27:13 +0200
Subject: [PATCH] Transfer XPath limits to XPtr context
Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
XPath limits.
---
libxslt/functions.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/libxslt/functions.c b/libxslt/functions.c
index b350545a..975ea790 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
goto out_fragment;
}
+#if LIBXML_VERSION >= 20911 || \
+ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+ xptrctxt->opLimit = ctxt->context->opLimit;
+ xptrctxt->opCount = ctxt->context->opCount;
+ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
+
+ resObj = xmlXPtrEval(fragment, xptrctxt);
+
+ ctxt->context->opCount = xptrctxt->opCount;
+#else
resObj = xmlXPtrEval(fragment, xptrctxt);
- xmlXPathFreeContext(xptrctxt);
#endif
+ xmlXPathFreeContext(xptrctxt);
+#endif /* LIBXML_XPTR_ENABLED */
+
if (resObj == NULL)
goto out_fragment;
--
GitLab
|
