When compiling the stylesheet attached, libxslt crashes.
The problem lies inside xsltParseTemplateContent (when XSLT_REFACTORED
is not defined, which is the case in all standard configurations) in
xslt.c lines 4949-4956:
if (cur->properties != NULL) {
xmlAttrPtr attr = cur->properties;
while (attr != NULL) {
xsltCompileAttr(style, attr);
attr = attr->next;
}
}
Here it is assumed that the xmlNodePtr cur refers to a valid xmlNode,
however it can also be xmlDtd.
When this is the case, and the DTD in the stylesheet has in internal
subset with attribute declarations, cur->properties is xmlHashTablePtr
rather than xmlAttrPtr.
This leads to xsltCompileAttr in attrvt.c lines 181-188:
if ((attr->children->type != XML_TEXT_NODE) ||
(attr->children->next != NULL)) {
xsltTransformError(NULL, style, attr->parent,
"Attribute '%s': The content is expected to be a single text "
"node when compiling an AVT.\n", attr->name);
style->errors++;
return;
}
Here attr->children is xmlDictPtr rather than xmlNodePtr, so ->next is
off the end of the struct and unlikely to be null, however ->type is
xmlDictEntryPtr, so won't be equal to XML_TEXT_NODE (3).
Thus xsltTransformError is called with attr->name which is the
->nbElems of the xmlHashTablePtr and controllable by modifying the
internal subset, and attr->parent which is something past the end of
the struct. As ->name is destined for varargs, ->node is only ever
read from, and no value controlled by the stylesheet creator is
written anywhere interesting, I believe this can't be used to do
anything much.
A patch fixing the issue is attached.
Finally, can someone please look at my other patch already, it's been
over three months with no acknowledgement.
Martin
Attachment:
libxslt_boom.xslt
Description: application/xml
Attachment:
boomer.patch
Description: Binary data