[xml] after xpath search, xmlXPathFreeObject() can generate segfault

["Christopher J. Grayce" <cgrayce aleks com>]

Dear All,

   I have a program that uses xmlXPathEval() to produce a list of nodes in
an xmlXPathObject.  Those nodes are then further processed, in the course
of which they are all deleted.  Finally, on exit, I call
xmlXPathFreeObject() to clean up the xmlXPathObject -- but this generates
a segfault, because of the following code in xpath.c:

--------------------------------------------------------------------------------
xmlXPathFreeNodeSet(xmlNodeSetPtr obj) {
    if (obj == NULL) return;
    if (obj->nodeTab != NULL) {
        int i;

        /* @@ with_ns to check whether namespace nodes should be looked at @@ */
        for (i = 0;i < obj->nodeNr;i++)
            if ((obj->nodeTab[i] != NULL) &&
 -->            (obj->nodeTab[i]->type == XML_NAMESPACE_DECL))
                xmlXPathNodeSetFreeNs((xmlNsPtr) obj->nodeTab[i]);
        xmlFree(obj->nodeTab);
    }
    xmlFree(obj);
}
--------------------------------------------------------------------------------

   Right at the --> this code (from libxml2 2.6.4 CVS version of
1/6/04) deferences a pointer which, since I have deleted the node, is
no longer valid.

   I can get around this by setting obj->nodeTab[i] = NULL for every
node "i" which has been deleted.  

   My point in mentioning this is: I haven't seen it mentioned before that
if you free a node resulting from a call to xmlXPathEval(), you had better
set the pointer in the xmlXPathObject nodeTab[] vector to zero before
calling xmlXPathFreeObject().
   If you don't, it's a relatively subtle error which can be tiresome to
track down, since my experience is that the usual result of the error is
nothing at all, I suppose because the pointer generally still points to
valid memory and it's unlikely to equal XML_NAMESPACE_DECL by
accident. . .

   CJG