[xml] memory problem with unknown XPath functions

From: François Delyon <f delyon satimage fr>
To: xml gnome org
Subject: [xml] memory problem with unknown XPath functions
Date: Tue, 13 Feb 2007 17:03:16 +0100

I try to evaluate a wrong XPath expression like "//command[start-with(@code,'XML')]"(start-with() is not an xpath function; the final "s" of "starts" ismissing)

Then I get the error:
 malloc: ***  Deallocation of a pointer not malloced: 0x6d5b450;

This could be a double free(), or free() called with the middle of anallocated block;


I do the following:
xmlXPathCompExprPtr exp=xmlXPathCtxtCompile(xpathCtx,s);// no error??
xmlXPathObjectPtr xpathObj = xmlXPathCompiledEval(exp, xpathCtx);

As expected, xmlXPathCompOpEval returns at the test
                    if (func == NULL) {
                        xmlGenericError(xmlGenericErrorContext,

"xmlXPathCompOpEval:function %s not found\n",

                                        op->value4);
                        XP_ERROR0(XPATH_UNKNOWN_FUNC_ERROR);
                    }

then in xmlXPathCompiledEvalInternal(), the following code:
    /*
    * Pop all remaining objects from the stack.
    */
    if (pctxt->valueNr > 0) {
        xmlXPathObjectPtr tmp;
        int stack = 0;

        do {
            tmp = valuePop(pctxt);
            if (tmp != NULL) {
                if (tmp != NULL)
                    stack++;
                xmlXPathReleaseObject(ctxt, tmp);
            }
        } while (tmp != NULL);

generates the error at the third and last execution ofxmlXPathReleaseObject.

The double test "if (tmp != NULL)" seems suspect.
The last temp->type has a unknown random value.

François.

Follow-Ups:
- Re: [xml] memory problem with unknown XPath functions
  - From: William M. Brack

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]