[libxslt] Crash when passing an uninitialized variable to document()

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 6c99c519d97e5fcbec7a9537d190efb442e4e833
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Oct 10 12:09:36 2012 +0200

    Crash when passing an uninitialized variable to document()
    
    https://bugzilla.gnome.org/show_bug.cgi?id=685330
    
    Missing check for NULL

 libxslt/functions.c       |    5 +++--
 tests/docs/Makefile.am    |    1 +
 tests/docs/bug-180.xml    |    2 ++
 tests/general/Makefile.am |    1 +
 tests/general/bug-180.err |    4 ++++
 tests/general/bug-180.xsl |    8 ++++++++
 6 files changed, 19 insertions(+), 2 deletions(-)
---
diff --git a/libxslt/functions.c b/libxslt/functions.c
index ed2c163..c754994 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -260,7 +260,7 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
         obj = valuePop(ctxt);
         ret = xmlXPathNewNodeSet(NULL);
 
-        if (obj->nodesetval) {
+        if ((obj != NULL) && obj->nodesetval) {
             for (i = 0; i < obj->nodesetval->nodeNr; i++) {
                 valuePush(ctxt,
                           xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
@@ -280,7 +280,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
             }
         }
 
-        xmlXPathFreeObject(obj);
+        if (obj != NULL)
+            xmlXPathFreeObject(obj);
         if (obj2 != NULL)
             xmlXPathFreeObject(obj2);
         valuePush(ctxt, ret);
diff --git a/tests/docs/Makefile.am b/tests/docs/Makefile.am
index 59487a6..c5dad4c 100644
--- a/tests/docs/Makefile.am
+++ b/tests/docs/Makefile.am
@@ -178,6 +178,7 @@ EXTRA_DIST =	\
 	bug-177.xml \
 	bug-178.xml \
 	bug-179.xml \
+	bug-180.xml \
 	character.xml \
 	array.xml \
 	items.xml
diff --git a/tests/docs/bug-180.xml b/tests/docs/bug-180.xml
new file mode 100644
index 0000000..2ca0eba
--- /dev/null
+++ b/tests/docs/bug-180.xml
@@ -0,0 +1,2 @@
+<doc/>
+
diff --git a/tests/general/Makefile.am b/tests/general/Makefile.am
index 762eca9..0c2ef30 100644
--- a/tests/general/Makefile.am
+++ b/tests/general/Makefile.am
@@ -187,6 +187,7 @@ EXTRA_DIST = \
     bug-177.out bug-177.xsl \
     bug-178.out bug-178.xsl \
     bug-179.out bug-179.xsl \
+    bug-180.out bug-180.xsl bug-180.err \
     character.out character.xsl \
     character2.out character2.xsl \
     itemschoose.out itemschoose.xsl \
diff --git a/tests/general/bug-180.err b/tests/general/bug-180.err
new file mode 100644
index 0000000..e45b36e
--- /dev/null
+++ b/tests/general/bug-180.err
@@ -0,0 +1,4 @@
+runtime error: file ./bug-180.xsl line 4 element copy-of
+Variable 'xxx' has not been declared.
+XPath error : Stack usage errror
+xmlXPathCompiledEval: 1 objects left on the stack.
diff --git a/tests/general/bug-180.out b/tests/general/bug-180.out
new file mode 100644
index 0000000..e69de29
diff --git a/tests/general/bug-180.xsl b/tests/general/bug-180.xsl
new file mode 100644
index 0000000..652d9fc
--- /dev/null
+++ b/tests/general/bug-180.xsl
@@ -0,0 +1,8 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0">
+
+  <xsl:template match="/">
+      <xsl:copy-of select=" * | document($xxx) "/>
+  </xsl:template>
+
+</xsl:stylesheet>
+