[xml] New(est) versions of libxslt segfault on stylesheet parsing

[Stephan A Suerken <absurd schlund de>]

Hi,

we did not find any reports about this:

libxml2 version: 2.6.7-1
libxslt version: 1.1.4-1

Obviously, "xsltParseStylesheetDoc" segfaults on certain stylesheets.

According to Claus Augusti, the usage of "namespaced variables in xsl
stylesheets" is the key.

To reproduce, run "xsltproc crash.xsl /dev/null" with
the crash example stylesheet below.

Example "crash" stylesheet (Claus Augusti):
---
<?xml version="1.0"?>
<xsl:stylesheet
  version="1.0"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
  xmlns:exslt="http://exslt.org/common";

  xmlns:foo="http://www.foo.org";
>
  <!-- Both lines lead to a crash -->
  <xsl:variable name="foo:test" select="'content'"/>
  <xsl:variable name="foo:test2" select="$foo:test2"/>

</xsl:stylesheet>
---

Example backtrace:
---
[Switching to Thread 81926 (LWP 6753)]
0x40374b22 in pthread_mutex_lock () from /lib/libpthread.so.0
(gdb) bt
#0  0x40374b22 in pthread_mutex_lock () from /lib/libpthread.so.0
#1  0x4050efcd in free () from /lib/libc.so.6
#2  0x405e53dc in xsltGetQNameURI () from /usr/lib/libxslt.so.1
#3  0x081347d0 in ?? ()
#4  0x08119c7f in ?? ()
#5  0x08134460 in ?? ()
#6  0xbeffe8dc in ?? ()
#7  0x4000bbe0 in _dl_map_object_deps () from /lib/ld-linux.so.2
#8  0x405f9072 in xsltDocumentComp () from /usr/lib/libxslt.so.1
#9  0xbeffe8cc in ?? ()
#10 0x40601ff1 in ?? () from /usr/lib/libxslt.so.1
#11 0x406023c0 in xsltLibxmlVersion () from /usr/lib/libxslt.so.1
#12 0x08136778 in ?? ()
#13 0x081347d0 in ?? ()
#14 0x08136950 in ?? ()
#15 0x406091ec in ?? () from /usr/lib/libxslt.so.1
#16 0x08134460 in ?? ()
#17 0x08136778 in ?? ()
#18 0xbeffe90c in ?? ()
#19 0x405f9c95 in xsltStylePreCompute () from /usr/lib/libxslt.so.1
---

Thanks for any hints,

Stephan
-- 
Stephan A Suerken
<ssuerken|stephan.suerken|suerken|absurd schlund de>

Schlund + Partner AG, Karlsruhe
Internal: http://manwe.use.schlund.de/~absurd/