[libxslt] Fix memory hazards in exsltFuncFunctionFunction

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxslt] Fix memory hazards in exsltFuncFunctionFunction
Date: Mon, 31 Jul 2017 13:14:54 +0000 (UTC)

commit 3892a890d9095b755453f0dc3d90a167df603cba
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sun Jul 30 18:13:29 2017 +0200

    Fix memory hazards in exsltFuncFunctionFunction
    
    Get the current node from the transform context. The current node in
    the XPath context isn't guaranteed to be preserved when evaluating the
    function template and could point to an invalid address.
    
    Thanks to Nicolas Gregoire for the report.
    
    Fixes bug 785589.

 libexslt/functions.c      |    2 +-
 tests/docs/bug-207.xml    |    1 +
 tests/general/bug-207.out |    2 ++
 tests/general/bug-207.xsl |   23 +++++++++++++++++++++++
 4 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/libexslt/functions.c b/libexslt/functions.c
index 9365d6e..5fd48bc 100644
--- a/libexslt/functions.c
+++ b/libexslt/functions.c
@@ -419,7 +419,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
                         (const xmlChar *)"fake", NULL);
     oldInsert = tctxt->insert;
     tctxt->insert = fake;
-    xsltApplyOneTemplate (tctxt, xmlXPathGetContextNode(ctxt),
+    xsltApplyOneTemplate (tctxt, tctxt->node,
                          func->content, NULL, NULL);
     xsltLocalVariablePop(tctxt, tctxt->varsBase, -2);
     tctxt->insert = oldInsert;
diff --git a/tests/docs/bug-207.xml b/tests/docs/bug-207.xml
new file mode 100644
index 0000000..3cf443a
--- /dev/null
+++ b/tests/docs/bug-207.xml
@@ -0,0 +1 @@
+<foo xmlns:abc="def"/>
diff --git a/tests/general/bug-207.out b/tests/general/bug-207.out
new file mode 100644
index 0000000..832a29e
--- /dev/null
+++ b/tests/general/bug-207.out
@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+1
diff --git a/tests/general/bug-207.xsl b/tests/general/bug-207.xsl
new file mode 100644
index 0000000..8fe6c61
--- /dev/null
+++ b/tests/general/bug-207.xsl
@@ -0,0 +1,23 @@
+<xsl:stylesheet
+  version="1.0"
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
+  xmlns:f="http://exslt.org/functions";
+  extension-element-prefixes="f">
+  <f:function name="f:f">
+    <xsl:param name="n"/>
+    <xsl:for-each select="namespace::*">
+      <xsl:sort/>
+    </xsl:for-each>
+    <xsl:choose>
+        <xsl:when test="$n > 0">
+            <f:result select="f:f($n - 1)"/>
+        </xsl:when>
+        <xsl:otherwise>
+            <f:result select="1"/>
+        </xsl:otherwise>
+    </xsl:choose>
+  </f:function>
+  <xsl:template match="/*">
+    <xsl:value-of select="f:f(4)"/>
+  </xsl:template>
+</xsl:stylesheet>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]