Re: [xslt] [PATCH] Crash compiling stylesheet with DTD

[Daniel Veillard <veillard redhat com>]

On Thu, Nov 20, 2008 at 05:52:30PM +0000, Martin (gzlist) wrote:
> When compiling the stylesheet attached, libxslt crashes.
> 
> The problem lies inside xsltParseTemplateContent (when XSLT_REFACTORED
> is not defined, which is the case in all standard configurations) in
> xslt.c lines 4949-4956:
> 
>     if (cur->properties != NULL) {
>         xmlAttrPtr attr = cur->properties;
> 
>         while (attr != NULL) {
>             xsltCompileAttr(style, attr);
>             attr = attr->next;
>         }
>     }
> 
> Here it is assumed that the xmlNodePtr cur refers to a valid xmlNode,
> however it can also be xmlDtd.
> 
> When this is the case, and the DTD in the stylesheet has in internal
> subset with attribute declarations, cur->properties is xmlHashTablePtr
> rather than xmlAttrPtr.
> 
> This leads to xsltCompileAttr in attrvt.c lines 181-188:
[...]
> Thus xsltTransformError is called with attr->name which is the
> ->nbElems of the xmlHashTablePtr and controllable by modifying the
> internal subset, and attr->parent which is something past the end of
> the struct. As ->name is destined for varargs, ->node is only ever
> read from, and no value controlled by the stylesheet creator is
> written anywhere interesting, I believe this can't be used to do
> anything much.

  Argh I see, good catch and good explanation !

> A patch fixing the issue is attached.

  yes, that looks just right, thanks a lot ! Applied and pushed to git

> Finally, can someone please look at my other patch already, it's been
> over three months with no acknowledgement.

  Ah, yes I see this, sorry this landed in an unvisited folder :-\
I will check it too !

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/