95 lines
3.0 KiB
Diff
95 lines
3.0 KiB
Diff
From 8bd32f7753ac253a54279a0b6a88d15a57076bb0 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Tue, 16 Jan 2018 18:59:02 +0100
|
|
Subject: [PATCH 09/33] Fix handling of RVTs returned from nested EXSLT
|
|
functions
|
|
|
|
Set the context variable to NULL when evaluating EXSLT functions.
|
|
Fixes potential use-after-free errors or memory leaks.
|
|
|
|
Fixes bug 792580. Thanks to Clemens Gutweiler for the report.
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=792580
|
|
---
|
|
libexslt/functions.c | 4 ++++
|
|
tests/docs/bug-209.xml | 1 +
|
|
tests/general/bug-209.out | 2 ++
|
|
tests/general/bug-209.xsl | 21 +++++++++++++++++++++
|
|
4 files changed, 28 insertions(+)
|
|
create mode 100644 tests/docs/bug-209.xml
|
|
create mode 100644 tests/general/bug-209.out
|
|
create mode 100644 tests/general/bug-209.xsl
|
|
|
|
diff --git a/libexslt/functions.c b/libexslt/functions.c
|
|
index 74dea1a..2b83ca3 100644
|
|
--- a/libexslt/functions.c
|
|
+++ b/libexslt/functions.c
|
|
@@ -292,6 +292,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
|
|
exsltFuncFunctionData *func;
|
|
xmlNodePtr paramNode, oldInsert, fake;
|
|
int oldBase;
|
|
+ void *oldCtxtVar;
|
|
xsltStackElemPtr params = NULL, param;
|
|
xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt);
|
|
int i, notSet;
|
|
@@ -430,11 +431,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
|
|
fake = xmlNewDocNode(tctxt->output, NULL,
|
|
(const xmlChar *)"fake", NULL);
|
|
oldInsert = tctxt->insert;
|
|
+ oldCtxtVar = tctxt->contextVariable;
|
|
tctxt->insert = fake;
|
|
+ tctxt->contextVariable = NULL;
|
|
xsltApplyOneTemplate (tctxt, tctxt->node,
|
|
func->content, NULL, NULL);
|
|
xsltLocalVariablePop(tctxt, tctxt->varsBase, -2);
|
|
tctxt->insert = oldInsert;
|
|
+ tctxt->contextVariable = oldCtxtVar;
|
|
tctxt->varsBase = oldBase; /* restore original scope */
|
|
if (params != NULL)
|
|
xsltFreeStackElemList(params);
|
|
diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml
|
|
new file mode 100644
|
|
index 0000000..69d62f2
|
|
--- /dev/null
|
|
+++ b/tests/docs/bug-209.xml
|
|
@@ -0,0 +1 @@
|
|
+<doc/>
|
|
diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out
|
|
new file mode 100644
|
|
index 0000000..e829790
|
|
--- /dev/null
|
|
+++ b/tests/general/bug-209.out
|
|
@@ -0,0 +1,2 @@
|
|
+<?xml version="1.0"?>
|
|
+<result/>
|
|
diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl
|
|
new file mode 100644
|
|
index 0000000..fe69ac6
|
|
--- /dev/null
|
|
+++ b/tests/general/bug-209.xsl
|
|
@@ -0,0 +1,21 @@
|
|
+<xsl:stylesheet
|
|
+ version="1.0"
|
|
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
|
+ xmlns:func="http://exslt.org/functions"
|
|
+ extension-element-prefixes="func">
|
|
+
|
|
+ <xsl:template match="/">
|
|
+ <xsl:variable name="v" select="func:a()" />
|
|
+ <xsl:copy-of select="$v"/>
|
|
+ </xsl:template>
|
|
+
|
|
+ <func:function name="func:a">
|
|
+ <func:result select="func:b()" />
|
|
+ </func:function>
|
|
+
|
|
+ <func:function name="func:b">
|
|
+ <func:result>
|
|
+ <result/>
|
|
+ </func:result>
|
|
+ </func:function>
|
|
+</xsl:stylesheet>
|
|
--
|
|
1.8.3.1
|
|
|