1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
libxslt-1.1.32: Fix handling of RVTs returned from nested EXSLT functions
[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=792580
Set the context variable to NULL when evaluating EXSLT functions.
Fixes potential use-after-free errors or memory leaks.
Upstream-Status: Backport [https://git.gnome.org/browse/libxslt/commit/?id=8bd32f7753ac253a54279a0b6a88d15a57076bb0]
bug: 792580
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
diff --git a/libexslt/functions.c b/libexslt/functions.c
index dc794e3..8511cb0 100644
--- a/libexslt/functions.c
+++ b/libexslt/functions.c
@@ -280,6 +280,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
exsltFuncFunctionData *func;
xmlNodePtr paramNode, oldInsert, fake;
int oldBase;
+ void *oldCtxtVar;
xsltStackElemPtr params = NULL, param;
xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt);
int i, notSet;
@@ -418,11 +419,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
fake = xmlNewDocNode(tctxt->output, NULL,
(const xmlChar *)"fake", NULL);
oldInsert = tctxt->insert;
+ oldCtxtVar = tctxt->contextVariable;
tctxt->insert = fake;
+ tctxt->contextVariable = NULL;
xsltApplyOneTemplate (tctxt, tctxt->node,
func->content, NULL, NULL);
xsltLocalVariablePop(tctxt, tctxt->varsBase, -2);
tctxt->insert = oldInsert;
+ tctxt->contextVariable = oldCtxtVar;
tctxt->varsBase = oldBase; /* restore original scope */
if (params != NULL)
xsltFreeStackElemList(params);
diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml
new file mode 100644
index 0000000..69d62f2
--- /dev/null
+++ b/tests/docs/bug-209.xml
@@ -0,0 +1 @@
+<doc/>
diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out
new file mode 100644
index 0000000..e829790
--- /dev/null
+++ b/tests/general/bug-209.out
@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<result/>
diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl
new file mode 100644
index 0000000..fe69ac6
--- /dev/null
+++ b/tests/general/bug-209.xsl
@@ -0,0 +1,21 @@
+<xsl:stylesheet
+ version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:func="http://exslt.org/functions"
+ extension-element-prefixes="func">
+
+ <xsl:template match="/">
+ <xsl:variable name="v" select="func:a()" />
+ <xsl:copy-of select="$v"/>
+ </xsl:template>
+
+ <func:function name="func:a">
+ <func:result select="func:b()" />
+ </func:function>
+
+ <func:function name="func:b">
+ <func:result>
+ <result/>
+ </func:result>
+ </func:function>
+</xsl:stylesheet>
|
