--- /dev/null
+From fe508f201efb9ea37bfbe95413b8b28251497de3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
+Date: Wed, 27 Aug 2025 14:28:40 +0300
+Subject: [PATCH] End function node ancestor search at document
+
+Avoids dereferencing a non-existent ->ns property on an
+XML_DOCUMENT_NODE pointer.
+
+Fixes #151.
+
+CVE: CVE-2025-11731
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ libexslt/functions.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 8d35a7ae..a54ee70c 100644
+--- a/libexslt/functions.c
++++ b/libexslt/functions.c
+@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+ * instanciation of a func:result element.
+ */
+ for (test = inst->parent; test != NULL; test = test->parent) {
+- if (IS_XSLT_ELEM(test) &&
+- IS_XSLT_NAME(test, "stylesheet")) {
++ if (/* Traversal has reached the top-level document without
++ * finding a func:function ancestor. */
++ (test != NULL && test->type == XML_DOCUMENT_NODE) ||
++ /* Traversal reached a stylesheet-namespace node,
++ * and has left the function namespace. */
++ (IS_XSLT_ELEM(test) &&
++ IS_XSLT_NAME(test, "stylesheet"))) {
+ xsltGenericError(xsltGenericErrorContext,
+ "func:result element not a descendant "
+ "of a func:function\n");
+--
+2.34.1
+
projects / thirdparty / openembedded / openembedded-core.git / commitdiff
