[xslt] [PATCH 1/3] Fix NULL deref through valuePop retval: xsltGenerateIdFunction

From: Jan Pokorný <jpokorny redhat com>
To: xslt gnome org
Subject: [xslt] [PATCH 1/3] Fix NULL deref through valuePop retval: xsltGenerateIdFunction
Date: Wed, 18 Dec 2013 23:20:10 +0100

Test case (both template and the input):

<xsl:stylesheet version="1.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<!-- xsl:output method="text" indent="no"/ -->
<xsl:template match="*">
<xsl:value-of select="generate-id()=generate-id(key('none', $nonexistent))"/>
</xsl:template>
</xsl:stylesheet>

Before:
runtime error: file bug-generateid-deref.xsl line 5 element value-of
Variable 'nonexistent' has not been declared.
XPath error : Stack usage error
XPath error : Stack usage error
Segmentation fault (core dumped)

After:
runtime error: file bug-generateid-deref.xsl line 5 element value-of
Variable 'nonexistent' has not been declared.
XPath error : Stack usage error
XPath error : Stack usage error
Segmentation fault (core dumped)

Now, however, the segfault occurs at another place (attempt to fix that
as well will follow.

Signed-off-by: Jan Pokorný <jpokorny redhat com>
---
 libxslt/functions.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libxslt/functions.c b/libxslt/functions.c
index dc61994..38345c0 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -680,6 +680,8 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
            return;
        }
        obj = valuePop(ctxt);
+       if (obj == NULL)
+           return;
        nodelist = obj->nodesetval;
        if ((nodelist == NULL) || (nodelist->nodeNr <= 0)) {
            xmlXPathFreeObject(obj);
-- 
1.8.1.4

References:
- [xslt] [PATCH 0/3] Fix NULL deref through valuePop retval
  - From: Jan Pokorný

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]