diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:53:49 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:55:37 +0100 |
commit | 290e3e459b4f76f5fa1e3784b866cc0b76b35a55 (patch) | |
tree | fd96392e75ad076b2835e1bc936d0e2f9946acd4 | |
parent | 80a37629f2117cd39065d6e6005a4dc14c1258fb (diff) | |
download | libxslt-290e3e459b4f76f5fa1e3784b866cc0b76b35a55.tar.gz |
malloc-fail: Fix out-of-bounds access in xsltEvalTemplateString
The context node might be a namespace node, resulting in an OOB access
when passed to xmlGetLineNo later. Pass the instruction node instead
which is what xsltTransformError expects anyway.
Found with libFuzzer, see #84.
-rw-r--r-- | libxslt/templates.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libxslt/templates.c b/libxslt/templates.c index 804eef53..f08b9bda 100644 --- a/libxslt/templates.c +++ b/libxslt/templates.c @@ -229,7 +229,7 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt, insert = xmlNewDocNode(ctxt->output, NULL, (const xmlChar *)"fake", NULL); if (insert == NULL) { - xsltTransformError(ctxt, NULL, contextNode, + xsltTransformError(ctxt, NULL, inst, "Failed to create temporary node\n"); return(NULL); } |