crispAudio
/
poky
mirror of git://git.yoctoproject.org/poky


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
							From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Sat, 24 May 2025 15:06:42 -0700
Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
 and source nodes

* libxslt/functions.c:
(xsltDocumentFunctionLoadDocument):
- Implement fix suggested by Ivan Fratric.  This copies the xmlDoc,
  calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
  xmlDoc to tctxt->docList.
- Add error handling for functions that may return NULL.
* libxslt/transform.c:
- Remove static keyword so this can be called from
  xsltDocumentFunctionLoadDocument().
* libxslt/transformInternals.h: Add.
(xsltCleanupSourceDoc): Add declaration.

Fixes #139.

CVE: CVE-2025-7424
Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libxslt/-/issues/139]
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 libxslt/functions.c          | 16 +++++++++++++++-
 libxslt/transform.c          |  3 ++-
 libxslt/transformInternals.h |  9 +++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 libxslt/transformInternals.h

diff --git a/libxslt/functions.c b/libxslt/functions.c
index 72a58dc4..11ec039f 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -34,6 +34,7 @@
 #include "numbersInternals.h"
 #include "keys.h"
 #include "documents.h"
+#include "transformInternals.h"
 
 #ifdef WITH_XSLT_DEBUG
 #define WITH_XSLT_DEBUG_FUNCTION
@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
 	    /*
 	    * This selects the stylesheet's doc itself.
 	    */
-	    doc = tctxt->style->doc;
+	    doc = xmlCopyDoc(tctxt->style->doc, 1);
+	    if (doc == NULL) {
+		xsltTransformError(tctxt, NULL, NULL,
+		    "document() : failed to copy style doc\n");
+		goto out_fragment;
+	    }
+	    xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
+	    idoc = xsltNewDocument(tctxt, doc);
+	    if (idoc == NULL) {
+		xsltTransformError(tctxt, NULL, NULL,
+		    "document() : failed to create xsltDocument\n");
+		xmlFreeDoc(doc);
+		goto out_fragment;
+	    }
 	} else {
             goto out_fragment;
 	}
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 54ef821b..38c2dce6 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -43,6 +43,7 @@
 #include "xsltlocale.h"
 #include "pattern.h"
 #include "transform.h"
+#include "transformInternals.h"
 #include "variables.h"
 #include "numbersInternals.h"
 #include "namespaces.h"
@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
  *
  * Resets source node flags and ids stored in 'psvi' member.
  */
-static void
+void
 xsltCleanupSourceDoc(xmlDocPtr doc) {
     xmlNodePtr cur = (xmlNodePtr) doc;
     void **psviPtr;
diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
new file mode 100644
index 00000000..d0f42823
--- /dev/null
+++ b/libxslt/transformInternals.h
@@ -0,0 +1,9 @@
+/*
+ * Summary: set of internal interfaces for the XSLT engine transformation part.
+ *
+ * Copy: See Copyright for the status of this software.
+ *
+ * Author: David Kilzer <ddkilzer@apple.com>
+ */
+
+void xsltCleanupSourceDoc(xmlDocPtr doc);
-- 
2.39.5 (Apple Git-154)