[libxml2] Fix XPath stack frame logic

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 0f3b843b3534784ef57a4f9b874238aa1fda5a73
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Jun 1 23:12:19 2017 +0200

    Fix XPath stack frame logic
    
    Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
    xmlXPathCompOpEvalPositionalPredicate to make sure that the context
    object on the stack is actually protected. Otherwise, memory corruption
    can occur when calling sloppily coded XPath extension functions.
    
    Fixes bug 783160.

 xpath.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/xpath.c b/xpath.c
index 9481507..b816bd3 100644
--- a/xpath.c
+++ b/xpath.c
@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
                }
            }
 
-            frame = xmlXPathSetFrame(ctxt);
            valuePush(ctxt, contextObj);
+            frame = xmlXPathSetFrame(ctxt);
            res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
-            tmp = valuePop(ctxt);
             xmlXPathPopFrame(ctxt, frame);
+            tmp = valuePop(ctxt);
 
            if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
                 while (tmp != contextObj) {