diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-02-02 04:28:15 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-02-02 04:33:49 +0100 |
commit | 3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51 (patch) | |
tree | c6e580002f70183f7c22ac45e5aab0bc2481e7fe | |
parent | 7238299d64847e44bfe92170af1c7c57e26d469a (diff) | |
download | libxslt-3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51.tar.gz |
Fix double-free with stylesheets containing entity nodes
Fix broken logic to make sure that entity nodes are deleted from the
stylesheet. Note that stylesheets parsed with XML_PARSE_NOENT, which
is included in XSLT_PARSE_OPTIONS, aren't affected.
Found by OSS-Fuzz.
-rw-r--r-- | libxslt/xslt.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 7a1ce011..69116f2b 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -3656,12 +3656,8 @@ xsltPreprocessStylesheet(xsltStylesheetPtr style, xmlNodePtr cur) (!xsltCheckExtURI(style, cur->ns->href))) { goto skip_children; } else if (cur->children != NULL) { - if ((cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_ENTITY_REF_NODE) && - (cur->children->type != XML_ENTITY_NODE)) { - cur = cur->children; - continue; - } + cur = cur->children; + continue; } skip_children: |