[libxslt] Avoid a heap use after free error
- From: Daniel Veillard <veillard src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxslt] Avoid a heap use after free error
- Date: Mon, 3 Sep 2012 10:17:45 +0000 (UTC)
commit 4da0f7e207f14a03daad4663865c285eb27f93e9
Author: Chris Evans <cevans chromium org>
Date: Mon Sep 3 18:16:44 2012 +0800
Avoid a heap use after free error
For https://code.google.com/p/chromium/issues/detail?id=140368
libxslt/functions.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
---
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 5a8eb79..fe2f1ca 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
void
xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
xmlNodePtr cur = NULL;
+ xmlXPathObjectPtr obj = NULL;
long val;
xmlChar str[30];
xmlDocPtr doc;
@@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
if (nargs == 0) {
cur = ctxt->context->node;
} else if (nargs == 1) {
- xmlXPathObjectPtr obj;
xmlNodeSetPtr nodelist;
int i, ret;
@@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
if (ret == -1)
cur = nodelist->nodeTab[i];
}
- xmlXPathFreeObject(obj);
} else {
xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
"generate-id() : invalid number of args %d\n", nargs);
@@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
}
+ if (obj)
+ xmlXPathFreeObject(obj);
+
val = (long)((char *)cur - (char *)doc);
if (val >= 0) {
sprintf((char *)str, "idp%ld", val);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
