This fixes the rest of possible NULL pointer dereferences (connected with
using valuePop'd return values without prior checks) as per patch
instantiated from a following semantic patch (spatch/coccinelle) v2:
> // Fix possible NULL deref for valuePop retval (v2)
> // jpoko...@redhat.com
>
> @incl@
> @@
>
> #include <libxml/xpathInternals.h>
>
> @voidfn depends on incl exists@
> expression E;
> identifier fn, item;
> statement S1, S2;
> @@
> void fn (...) {
> <...
> E = valuePop(...);
> + if (E == NULL) return;
> ... when != if (<+... E == NULL ...+>) S1 else S2
> (
> E->item;
> |
> E->item
> )
> ...>
> }
>
> //@nonvoidfn depends on incl exists@
> //expression E;
> //identifier fn != voidfn.fn, item;
> //statement S1, S2;
> //@@
> //fn (...) {
> //<...
> //E = valuePop(...);
> //+ if (E == NULL) return NULL;
> //... when != if (<+... E == NULL ...+>) S1 else S2
> //(
> //E->item;
> //|
> //E->item
> //)
> //...>
> //}
Signed-off-by: Jan Pokorný <jpoko...@redhat.com>
---
libexslt/common.c | 2 ++
libexslt/saxon.c | 2 ++
libexslt/strings.c | 2 ++
libxslt/functions.c | 26 ++++++++++++++++++++++++++
4 files changed, 32 insertions(+)
diff --git a/libexslt/common.c b/libexslt/common.c
index 451a60d..aecacb7 100644
--- a/libexslt/common.c
+++ b/libexslt/common.c
@@ -84,6 +84,8 @@ exsltObjectTypeFunction (xmlXPathParserContextPtr ctxt, int
nargs) {
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
switch (obj->type) {
case XPATH_STRING:
diff --git a/libexslt/saxon.c b/libexslt/saxon.c
index e92ba8d..0a729eb 100644
--- a/libexslt/saxon.c
+++ b/libexslt/saxon.c
@@ -243,6 +243,8 @@ exsltSaxonLineNumberFunction(xmlXPathParserContextPtr ctxt,
int nargs) {
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
nodelist = obj->nodesetval;
if ((nodelist == NULL) || (nodelist->nodeNr <= 0)) {
xmlXPathFreeObject(obj);
diff --git a/libexslt/strings.c b/libexslt/strings.c
index 3c702ad..188bdc9 100644
--- a/libexslt/strings.c
+++ b/libexslt/strings.c
@@ -486,6 +486,8 @@ exsltStrConcatFunction (xmlXPathParserContextPtr ctxt, int
nargs) {
}
obj = valuePop (ctxt);
+ if (obj == NULL)
+ return;
if (xmlXPathNodeSetIsEmpty(obj->nodesetval)) {
xmlXPathReturnEmptyString(ctxt);
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 4a5475d..1006d97 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -251,6 +251,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
}
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
}
if (ctxt->value->type == XPATH_NODESET) {
@@ -258,6 +260,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
xmlXPathObjectPtr newobj, ret;
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
ret = xmlXPathNewNodeSet(NULL);
if ((obj != NULL) && obj->nodesetval) {
@@ -274,6 +278,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
}
xsltDocumentFunction(ctxt, 2);
newobj = valuePop(ctxt);
+ if (newobj == NULL)
+ return;
ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval,
newobj->nodesetval);
xmlXPathFreeObject(newobj);
@@ -300,6 +306,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int
nargs)
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->stringval == NULL) {
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
} else {
@@ -401,6 +409,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
xmlXPathStringFunction(ctxt, 1);
xsltKeyFunction(ctxt, 2);
newobj = valuePop(ctxt);
+ if (newobj == NULL)
+ return;
ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval,
newobj->nodesetval);
xmlXPathFreeObject(newobj);
@@ -466,6 +476,8 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){
goto error;
}
obj2 = valuePop(ctxt);
+ if (obj2 == NULL)
+ return;
value = obj2->stringval;
/*
@@ -566,6 +578,8 @@ xsltUnparsedEntityURIFunction(xmlXPathParserContextPtr
ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->type != XPATH_STRING) {
obj = xmlXPathConvertString(obj);
}
@@ -620,6 +634,8 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int
nargs)
case 3:
CAST_TO_STRING;
decimalObj = valuePop(ctxt);
+ if (decimalObj == NULL)
+ return;
formatValues = xsltDecimalFormatGetByName(sheet, decimalObj->stringval);
if (formatValues == NULL) {
xsltTransformError(tctxt, NULL, NULL,
@@ -630,8 +646,12 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt,
int nargs)
case 2:
CAST_TO_STRING;
formatObj = valuePop(ctxt);
+ if (formatObj == NULL)
+ return;
CAST_TO_NUMBER;
numberObj = valuePop(ctxt);
+ if (numberObj == NULL)
+ return;
break;
default:
XP_ERROR(XPATH_INVALID_ARITY);
@@ -757,6 +777,8 @@ xsltSystemPropertyFunction(xmlXPathParserContextPtr ctxt,
int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
if (obj->stringval == NULL) {
valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
} else {
@@ -853,6 +875,8 @@ xsltElementAvailableFunction(xmlXPathParserContextPtr ctxt,
int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
tctxt = xsltXPathGetTransformContext(ctxt);
if (tctxt == NULL) {
xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
@@ -919,6 +943,8 @@ xsltFunctionAvailableFunction(xmlXPathParserContextPtr
ctxt, int nargs){
return;
}
obj = valuePop(ctxt);
+ if (obj == NULL)
+ return;
name = xmlSplitQName2(obj->stringval, &prefix);
if (name == NULL) {
--
1.8.1.4
_______________________________________________
xslt mailing list, project page http://xmlsoft.org/XSLT/
xslt@gnome.org
https://mail.gnome.org/mailman/listinfo/xslt
