libxslt-1.1.32: Fix handling of RVTs returned from nested EXSLT functions [No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=792580 Set the context variable to NULL when evaluating EXSLT functions. Fixes potential use-after-free errors or memory leaks. Upstream-Status: Backport [https://git.gnome.org/browse/libxslt/commit/?id=8bd32f7753ac253a54279a0b6a88d15a57076bb0] bug: 792580 Signed-off-by: Andrej Valek diff --git a/libexslt/functions.c b/libexslt/functions.c index dc794e3..8511cb0 100644 --- a/libexslt/functions.c +++ b/libexslt/functions.c @@ -280,6 +280,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { exsltFuncFunctionData *func; xmlNodePtr paramNode, oldInsert, fake; int oldBase; + void *oldCtxtVar; xsltStackElemPtr params = NULL, param; xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt); int i, notSet; @@ -418,11 +419,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { fake = xmlNewDocNode(tctxt->output, NULL, (const xmlChar *)"fake", NULL); oldInsert = tctxt->insert; + oldCtxtVar = tctxt->contextVariable; tctxt->insert = fake; + tctxt->contextVariable = NULL; xsltApplyOneTemplate (tctxt, tctxt->node, func->content, NULL, NULL); xsltLocalVariablePop(tctxt, tctxt->varsBase, -2); tctxt->insert = oldInsert; + tctxt->contextVariable = oldCtxtVar; tctxt->varsBase = oldBase; /* restore original scope */ if (params != NULL) xsltFreeStackElemList(params); diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml new file mode 100644 index 0000000..69d62f2 --- /dev/null +++ b/tests/docs/bug-209.xml @@ -0,0 +1 @@ + diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out new file mode 100644 index 0000000..e829790 --- /dev/null +++ b/tests/general/bug-209.out @@ -0,0 +1,2 @@ + + diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl new file mode 100644 index 0000000..fe69ac6 --- /dev/null +++ b/tests/general/bug-209.xsl @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + +