Google Git
Sign in
android / platform / external / libxml2.git / 82fe084c750cb2e6c839ec8b6aad5e2bb87c14dd^! / .
commit82fe084c750cb2e6c839ec8b6aad5e2bb87c14dd[log] [tgz]
authorSelim Gurun <sgurun@google.com>Mon Oct 31 14:51:50 2011 -0700
committerSelim Gurun <sgurun@google.com>Tue Nov 01 14:38:19 2011 -0700
tree15cd8c278f76a550fd669f5dbc5a5decaf42c0cf
parentf2da8ef9b4e7243c19e295fed847fa897e8230d3 [diff]
Fix XPath freeing error.

	Bug: 5533654

Applied a patch from Chrome source code to prevent potential
multiple freeing and memory corruption in XPath. This patch
will become unnecessary once we pull in new libxml2.
The Chrome changes are here:
http://codereview.chromium.org/5196003
http://codereview.chromium.org/7508039

Change-Id: I0dd573e2f8e3cfbd1290735e68e44ebb13597482
Signed-off-by: Selim Gurun <sgurun@google.com>

diff --git a/patches/XPath_freeing_error.patch b/patches/XPath_freeing_error.patch
new file mode 100644
index 0000000..8c94a18
--- /dev/null
+++ b/patches/XPath_freeing_error.patch

@@ -0,0 +1,30 @@
+This patch fixes security problems described in issue 5533654. Since the original fixes in libxml2 includes multiple amendments and are somewhat larger in scope, we limit the fix to just this particular issue to play it safe.
+The patch does what Chrome does to fix it.
+
+Eventually, when we upgrade libxml2 library, the patch will be unnecessary.
+
+
+--- a/xpath.c	2011-10-31 14:31:20.201049035 -0700
++++ b/xpath.c	2011-11-01 13:50:00.751736494 -0700
+@@ -11736,11 +11736,16 @@
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 	        xmlXPathObjectPtr tmp;
+-		/* pop the result */
+-		tmp = valuePop(ctxt);
+-		xmlXPathReleaseObject(xpctxt, tmp);
+-		/* then pop off contextObj, which will be freed later */
+-		valuePop(ctxt);
++	        /* pop the result if any */
++	        tmp = valuePop(ctxt);
++	        while (tmp != contextObj) {
++	            /*
++	             * Free up the result
++	             * then pop off contextObj, which will be freed later
++	             */
++	             xmlXPathReleaseObject(xpctxt, tmp);
++	             tmp = valuePop(ctxt);
++	        }
+ 		goto evaluation_error;
+ 	    }
+ 

diff --git a/xpath.c b/xpath.c
index 2edf791..4783c0e 100644
--- a/xpath.c
+++ b/xpath.c

@@ -11736,11 +11736,16 @@
 
 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
 	        xmlXPathObjectPtr tmp;
-		/* pop the result */
-		tmp = valuePop(ctxt);
-		xmlXPathReleaseObject(xpctxt, tmp);
-		/* then pop off contextObj, which will be freed later */
-		valuePop(ctxt);
+	        /* pop the result if any */
+	        tmp = valuePop(ctxt);
+	        while (tmp != contextObj) {
+	            /*
+	             * Free up the result
+	             * then pop off contextObj, which will be freed later
+	             */
+	             xmlXPathReleaseObject(xpctxt, tmp);
+	             tmp = valuePop(ctxt);
+	        }
 		goto evaluation_error;
 	    }