GNOME/libxml2
1
0
Fork 0
mirror of https://github.com/GNOME/libxml2.git synced 2025-10-14 02:58:39 +08:00
Code Issues Releases Wiki Activity

tree: Guard against atype corruption

Browse Source 
Always remove ids if `id` member is set.

Untested, but this should fix CVE-2025-7425 reported against libxslt:

https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
This commit is contained in:
Nick Wellnhofer
2025-08-05 22:26:27 +02:00
parent 152fbb60a9
commit f1e1f13b76
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tree.c
View File

@@ -1691,8 +1691,8 @@ xmlFreeProp(xmlAttr *cur) {
xmlDeregisterNodeDefaultValue((xmlNodePtr)cur);
/* Check for ID removal -> leading to invalid references ! */
if ((cur->doc != NULL) && (cur->atype == XML_ATTRIBUTE_ID)) {
xmlRemoveID(cur->doc, cur);
if (cur->doc != NULL && cur->id != NULL) {
xmlRemoveID(cur->doc, cur);
}
if (cur->children != NULL) xmlFreeNodeList(cur->children);
DICT_FREE(cur->name)
@@ -2503,7 +2503,7 @@ xmlNodeSetDoc(xmlNodePtr node, xmlDocPtr doc) {
* TODO: ID attributes should also be added to the new
* document, but it's not clear how to handle clashes.
*/
if (attr->atype == XML_ATTRIBUTE_ID)
if (attr->id != NULL)
xmlRemoveID(oldDoc, attr);
break;
@@ -6569,7 +6569,7 @@ xmlSetNsProp(xmlNode *node, xmlNs *ns, const xmlChar *name,
return(NULL);
}
if (prop->atype == XML_ATTRIBUTE_ID) {
if (prop->id != NULL) {
xmlRemoveID(node->doc, prop);
prop->atype = XML_ATTRIBUTE_ID;
}

2
valid.c
View File

@@ -3945,7 +3945,7 @@ xmlValidateOneAttribute(xmlValidCtxt *ctxt, xmlDoc *doc,
attr->name, elem->name, NULL);
return(0);
}
if (attr->atype == XML_ATTRIBUTE_ID)
if (attr->id != NULL)
xmlRemoveID(doc, attr);
attr->atype = attrDecl->atype;