c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make XPath depth check work with recursive invocations

Browse Source 
EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
recursively. Don't set depth to zero but keep and restore the original
value to avoid stack overflows when abusing these functions.
This commit is contained in:
Nick Wellnhofer 2022-07-28 20:21:24 +02:00
parent a82ea25fc8
commit 677a42645e
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
xpath.c
View File

@ -13884,12 +13884,11 @@ static int
xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
{
xmlXPathCompExprPtr comp;
int oldDepth;
if ((ctxt == NULL) || (ctxt->comp == NULL))
return(-1);
ctxt->context->depth = 0;
if (ctxt->valueTab == NULL) {
/* Allocate the value stack */
ctxt->valueTab = (xmlXPathObjectPtr *)
@ -13943,11 +13942,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
"xmlXPathRunEval: last is less than zero\n");
return(-1);
}
oldDepth = ctxt->context->depth;
if (toBool)
return(xmlXPathCompOpEvalToBoolean(ctxt,
&comp->steps[comp->last], 0));
else
xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]);
ctxt->context->depth = oldDepth;
return(0);
}
@ -14218,6 +14219,7 @@ xmlXPathCompExprPtr
xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
xmlXPathParserContextPtr pctxt;
xmlXPathCompExprPtr comp;
int oldDepth = 0;
#ifdef XPATH_STREAMING
comp = xmlXPathTryStreamCompile(ctxt, str);
@ -14231,8 +14233,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
if (pctxt == NULL)
return NULL;
if (ctxt != NULL)
ctxt->depth = 0;
oldDepth = ctxt->depth;
xmlXPathCompileExpr(pctxt, 1);
if (ctxt != NULL)
ctxt->depth = oldDepth;
if( pctxt->error != XPATH_EXPRESSION_OK )
{
@ -14253,8 +14257,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
comp = pctxt->comp;
if ((comp->nbStep > 1) && (comp->last >= 0)) {
if (ctxt != NULL)
ctxt->depth = 0;
oldDepth = ctxt->depth;
xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]);
if (ctxt != NULL)
ctxt->depth = oldDepth;
}
pctxt->comp = NULL;
}
@ -14410,6 +14416,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
#ifdef XPATH_STREAMING
xmlXPathCompExprPtr comp;
#endif
int oldDepth = 0;
if (ctxt == NULL) return;
@ -14423,8 +14430,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
#endif
{
if (ctxt->context != NULL)
ctxt->context->depth = 0;
oldDepth = ctxt->context->depth;
xmlXPathCompileExpr(ctxt, 1);
if (ctxt->context != NULL)
ctxt->context->depth = oldDepth;
CHECK_ERROR;
/* Check for trailing characters. */
@ -14433,9 +14442,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) {
if (ctxt->context != NULL)
ctxt->context->depth = 0;
oldDepth = ctxt->context->depth;
xmlXPathOptimizeExpression(ctxt,
&ctxt->comp->steps[ctxt->comp->last]);
if (ctxt->context != NULL)
ctxt->context->depth = oldDepth;
}
}