diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-02-02 04:28:15 +0100 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-02-02 04:33:49 +0100 |
| commit | 3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51 (patch) | |
| tree | c6e580002f70183f7c22ac45e5aab0bc2481e7fe | |
| parent | 7238299d64847e44bfe92170af1c7c57e26d469a (diff) | |
| download | libxslt-3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51.tar.gz | |
Fix double-free with stylesheets containing entity nodes
Fix broken logic to make sure that entity nodes are deleted from the
stylesheet. Note that stylesheets parsed with XML_PARSE_NOENT, which
is included in XSLT_PARSE_OPTIONS, aren't affected.
Found by OSS-Fuzz.
| -rw-r--r-- | libxslt/xslt.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 7a1ce011..69116f2b 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -3656,12 +3656,8 @@ xsltPreprocessStylesheet(xsltStylesheetPtr style, xmlNodePtr cur) (!xsltCheckExtURI(style, cur->ns->href))) { goto skip_children; } else if (cur->children != NULL) { - if ((cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_ENTITY_REF_NODE) && - (cur->children->type != XML_ENTITY_NODE)) { - cur = cur->children; - continue; - } + cur = cur->children; + continue; } skip_children: |