From 7f1e3c31018a8914af99fa3a9ff05a811ea29f52 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 22 Feb 2011 10:14:23 +0800
Subject: [PATCH] Fix generate-id() to not expose object addresses
To: libvir-list@redhat.com

For https://bugzilla.redhat.com/show_bug.cgi?id=684386
CVE-2011-1202

As pointed out by Chris Evans <scarybeasts@gmail.com> it's better
security wise to not expose object addresses directly, use a diff
w.r.t. the document root own address to avoid this
* libxslt/functions.c: fix IDs generation code

Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
 libxslt/functions.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/libxslt/functions.c b/libxslt/functions.c
index 4720c7a..de962f4 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
 void
 xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
     xmlNodePtr cur = NULL;
-    unsigned long val;
-    xmlChar str[20];
+    long val;
+    xmlChar str[30];
+    xmlDocPtr doc;
 
     if (nargs == 0) {
 	cur = ctxt->context->node;
@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
      * Okay this is ugly but should work, use the NodePtr address
      * to forge the ID
      */
-    val = (unsigned long)((char *)cur - (char *)0);
-    val /= sizeof(xmlNode);
-    sprintf((char *)str, "id%ld", val);
+    if (cur->type != XML_NAMESPACE_DECL)
+        doc = cur->doc;
+    else {
+        xmlNsPtr ns = (xmlNsPtr) cur;
+
+        if (ns->context != NULL)
+            doc = ns->context;
+        else
+            doc = ctxt->context->doc;
+
+    }
+
+    val = (long)((char *)cur - (char *)doc);
+    if (val >= 0) {
+      sprintf((char *)str, "idp%ld", val);
+    } else {
+      sprintf((char *)str, "idm%ld", -val);
+    }
     valuePush(ctxt, xmlXPathNewString(str));
 }
 
-- 
1.7.11.4