summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Wellnhofer <wellnhofer@aevum.de>2019-03-12 17:59:29 +0100
committerNick Wellnhofer <wellnhofer@aevum.de>2019-03-13 12:22:01 +0100
commiteb48a900198d991fff9bde6390e84066de66abea (patch)
treedaa14751248cc7717a4dd232dcd99f207fcdd8f4
parent6df1b708bd02f05c6d85ddddc1ca7f5450ebc5ea (diff)
downloadlibxslt-eb48a900198d991fff9bde6390e84066de66abea.tar.gz
Use xmlNewTextChild in EXSLT dyn:map
xmlTextChild supports entities but dyn:map should create an element containing a literal string. Found with libFuzzer and UBSan.
Diffstat
-rw-r--r--libexslt/dynamic.c18
-rw-r--r--tests/exslt/dynamic/dynmap.out1
-rw-r--r--tests/exslt/dynamic/dynmap.xsl1
3 files changed, 11 insertions, 9 deletions
diff --git a/libexslt/dynamic.c b/libexslt/dynamic.c
index dd0804bc..a5b569af 100644
--- a/libexslt/dynamic.c
+++ b/libexslt/dynamic.c
@@ -194,10 +194,10 @@ exsltDynMapFunction(xmlXPathParserContextPtr ctxt, int nargs)
case XPATH_BOOLEAN:
if (container != NULL) {
xmlNodePtr cur =
- xmlNewChild((xmlNodePtr) container, NULL,
- BAD_CAST "boolean",
- BAD_CAST (subResult->
- boolval ? "true" : ""));
+ xmlNewTextChild((xmlNodePtr) container, NULL,
+ BAD_CAST "boolean",
+ BAD_CAST (subResult->
+ boolval ? "true" : ""));
if (cur != NULL) {
cur->ns =
xmlNewNs(cur,
@@ -215,8 +215,8 @@ exsltDynMapFunction(xmlXPathParserContextPtr ctxt, int nargs)
xmlXPathCastNumberToString(subResult->
floatval);
xmlNodePtr cur =
- xmlNewChild((xmlNodePtr) container, NULL,
- BAD_CAST "number", val);
+ xmlNewTextChild((xmlNodePtr) container, NULL,
+ BAD_CAST "number", val);
if (val != NULL)
xmlFree(val);
@@ -234,9 +234,9 @@ exsltDynMapFunction(xmlXPathParserContextPtr ctxt, int nargs)
case XPATH_STRING:
if (container != NULL) {
xmlNodePtr cur =
- xmlNewChild((xmlNodePtr) container, NULL,
- BAD_CAST "string",
- subResult->stringval);
+ xmlNewTextChild((xmlNodePtr) container, NULL,
+ BAD_CAST "string",
+ subResult->stringval);
if (cur != NULL) {
cur->ns =
xmlNewNs(cur,
diff --git a/tests/exslt/dynamic/dynmap.out b/tests/exslt/dynamic/dynmap.out
index 7a900cae..ca81ace5 100644
--- a/tests/exslt/dynamic/dynmap.out
+++ b/tests/exslt/dynamic/dynmap.out
@@ -37,6 +37,7 @@
<exsl:string xmlns:exsl="http://exslt.org/common">without-child</exsl:string>
<exsl:string xmlns:exsl="http://exslt.org/common">without-child</exsl:string>
<exsl:string xmlns:exsl="http://exslt.org/common">with-child</exsl:string>
+ <exsl:string xmlns:exsl="http://exslt.org/common">&amp;)</exsl:string>
</string>
<namespace>
<exsl:string xmlns:exsl="http://exslt.org/common">dynmap</exsl:string>
diff --git a/tests/exslt/dynamic/dynmap.xsl b/tests/exslt/dynamic/dynmap.xsl
index 40f9eaf1..867e39a8 100644
--- a/tests/exslt/dynamic/dynmap.xsl
+++ b/tests/exslt/dynamic/dynmap.xsl
@@ -17,6 +17,7 @@
</number>
<string>
<xsl:copy-of select="dyn:map(*, 'name()')"/>
+ <xsl:copy-of select="dyn:map(., '&quot;&amp;&#41;&quot;')"/>
</string>
<namespace>
<xsl:copy-of select="dyn:map(namespace::*, 'name(/*)')"/>
View Lorry Controller Status