Avoid a heap use after free error

For https://code.google.com/p/chromium/issues/detail?id=140368

Avoid a heap use after free error
For https://code.google.com/p/chromium/issues/detail?id=140368
4da0f7e2 · Chris Evans · Daniel Veillard · 54977ed7 · 4da0f7e2
Commit 4da0f7e2 authored Sep 03, 2012 by Chris Evans Committed by Daniel Veillard Sep 03, 2012
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
 void
 xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
    xmlNodePtr cur = NULL;
+    xmlXPathObjectPtr obj = NULL;
    long val;
    xmlChar str[30];
    xmlDocPtr doc;
@@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
    if (nargs == 0) {
 	cur = ctxt->context->node;
    } else if (nargs == 1) {
-	xmlXPathObjectPtr obj;
 	xmlNodeSetPtr nodelist;
 	int i, ret;

@@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
 	    if (ret == -1)
 	        cur = nodelist->nodeTab[i];
 	}
-	xmlXPathFreeObject(obj);
    } else {
 	xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
 		"generate-id() : invalid number of args %d\n", nargs);
@@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

    }

+    if (obj)
+        xmlXPathFreeObject(obj);
+
    val = (long)((char *)cur - (char *)doc);
    if (val >= 0) {
      sprintf((char *)str, "idp%ld", val);