This fixes the rest of possible NULL pointer dereferences (connected with
using valuePop'd return values without prior checks) as per patch
instantiated from a following semantic patch (spatch/coccinelle):
> // Fix possible NULL deref for valuePop retval
> // jpoko...@redhat.com
>
> @incl@
> @@
>
> #include <libxml/xpathInternals.h>
>
> @voidfn depends on incl exists@
> expression E;
> identifier fn, f, item;
> statement S1, S2;
> @@
> void fn (...) {
> <...
> E = valuePop(...);
> + if (E == NULL) return;
> ... when != if (E == NULL) S1 else S2
> (
> E->item;
> |
> E->item
> )
> ...>
> }
>
> // for cases the function is non-void (which implicitly supposes
> // a pointer as a return value rather than anything else);
> // not found helpful in libxslt case presently anyway
> //@nonvoidfn depends on incl exists@
> //expression E;
> //identifier fn != voidfn.fn, f, item;
> //statement S1, S2;
> //@@
> //fn (...) {
> //<...
> //E = valuePop(...);
> //+ if (E == NULL) return NULL;
> //... when != if (E == NULL) S1 else S2
> //(
> //E->item;
> //|
> //E->item
> //)
> //...>
> //}
Signed-off-by: Jan Pokorný <jpoko...@redhat.com>
---
libexslt/common.c | 2 ++
libexslt/saxon.c | 2 ++
libexslt/strings.c | 2 ++
libxslt/functions.c | 28 ++++++++++++++++++++++++++++
4 files changed, 34 insertions(+)
diff --git a/libexslt/common.c b/libexslt/common.c
index 451a60d..aecacb7 100644
--- a/libexslt/common.c
+++ b/libexslt/common.c
@@ -84,6 +84,8 @@ exsltObjectTypeFunction (xmlXPathParserContextPtr ctxt, int
nargs) {
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
switch (obj->type) {
case XPATH_STRING:
diff --git a/libexslt/saxon.c b/libexslt/saxon.c
index e92ba8d..0a729eb 100644
--- a/libexslt/saxon.c
+++ b/libexslt/saxon.c
@@ -243,6 +243,8 @@ exsltSaxonLineNumberFunction(xmlXPathParserContextPtr ctxt,
int nargs) {
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
nodelist = obj->nodesetval;
if ((nodelist == NULL) || (nodelist->nodeNr <= 0)) {
xmlXPathFreeObject(obj);
diff --git a/libexslt/strings.c b/libexslt/strings.c
index 3c702ad..188bdc9 100644
--- a/libexslt/strings.c
+++ b/libexslt/strings.c
@@ -486,6 +486,8 @@ exsltStrConcatFunction (xmlXPathParserContextPtr ctxt, int
nargs) {
}
obj = valuePop (ctxt);
+ if (obj == NULL)
+ return;
if (xmlXPathNodeSetIsEmpty(obj->nodesetval)) {
xmlXPathReturnEmptyString(ctxt);
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 4a5475d..d6e8aa8 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -251,6 +251,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
}
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
}
if (ctxt->value->type == XPATH_NODESET) {
@@ -258,6 +260,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
xmlXPathObjectPtr newobj, ret;
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
ret = xmlXPathNewNodeSet(NULL);
if ((obj != NULL) && obj->nodesetval) {
@@ -274,6 +278,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
}
xsltDocumentFunction(ctxt, 2);
newobj = valuePop(ctxt);
+ if (newobj == NULL)
+ return;
ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval,
newobj->nodesetval);
xmlXPathFreeObject(newobj);
@@ -300,6 +306,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->stringval == NULL) {
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
} else {
@@ -370,6 +378,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
* Get the key's value.
*/
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
xmlXPathStringFunction(ctxt, 1);
if ((obj2 == NULL) ||
(ctxt->value == NULL) || (ctxt->value->type != XPATH_STRING)) {
@@ -401,6 +411,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
xmlXPathStringFunction(ctxt, 1);
xsltKeyFunction(ctxt, 2);
newobj = valuePop(ctxt);
+ if (newobj == NULL)
+ return;
ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval,
newobj->nodesetval);
xmlXPathFreeObject(newobj);
@@ -466,6 +478,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
goto error;
}
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
value = obj2->stringval;
/*
@@ -566,6 +580,8 @@ xsltUnparsedEntityURIFunction(xmlXPathParserContextPtr
ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->type != XPATH_STRING) {
obj = xmlXPathConvertString(obj);
}
@@ -620,6 +636,8 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int
nargs)
case 3:
CAST_TO_STRING;
decimalObj = valuePop(ctxt);
+ if (decimalObj == NULL)
+ return;
formatValues = xsltDecimalFormatGetByName(sheet, decimalObj->stringval);
if (formatValues == NULL) {
xsltTransformError(tctxt, NULL, NULL,
@@ -630,8 +648,12 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt,
int nargs)
case 2:
CAST_TO_STRING;
formatObj = valuePop(ctxt);
+ if (formatObj == NULL)
+ return;
CAST_TO_NUMBER;
numberObj = valuePop(ctxt);
+ if (numberObj == NULL)
+ return;
break;
default:
XP_ERROR(XPATH_INVALID_ARITY);
@@ -757,6 +779,8 @@ xsltSystemPropertyFunction(xmlXPathParserContextPtr ctxt,
int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->stringval == NULL) {
valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
} else {
@@ -853,6 +877,8 @@ xsltElementAvailableFunction(xmlXPathParserContextPtr ctxt,
int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
tctxt = xsltXPathGetTransformContext(ctxt);
if (tctxt == NULL) {
xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
@@ -919,6 +945,8 @@ xsltFunctionAvailableFunction(xmlXPathParserContextPtr
ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
name = xmlSplitQName2(obj->stringval, &prefix);
if (name == NULL) {
--
1.8.1.4
_______________________________________________
xslt mailing list, project page http://xmlsoft.org/XSLT/
xslt@gnome.org
https://mail.gnome.org/mailman/listinfo/xslt
