Commit fc1ff481 authored by Nick Wellnhofer's avatar Nick Wellnhofer

Fix use-after-free in xsltDocumentFunctionLoadDocument

Also fixes a memory leak in an unlikely error case.

Fixes bug #758291
https://bugzilla.gnome.org/show_bug.cgi?id=758291
parent a48c1a86
......@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
resObj = xmlXPtrEval(fragment, xptrctxt);
xmlXPathFreeContext(xptrctxt);
#endif
xmlFree(fragment);
if (resObj == NULL)
goto out_fragment;
......@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
}
valuePush(ctxt, resObj);
xmlFree(fragment);
return;
out_object:
......@@ -211,6 +211,7 @@ out_object:
out_fragment:
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
xmlFree(fragment);
}
/**
......
<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
<test>
<A id="X"/>
<A id="Y"/>
</test>
<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
<in>bug-185-data.xml#xpointer(id('X')/range-to(id('Y')))</in>
runtime error: file ./bug-185.xsl line 7 element copy-of
document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y')))
no result for ./../docs/bug-185.xml
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="in">
<annotation>
<xsl:copy-of select="."/>
<value>
<xsl:copy-of select="document(.)"/>
</value>
</annotation>
</xsl:template>
<xsl:template match="@*|node()">
<xsl:apply-templates/>
</xsl:template>
</xsl:stylesheet>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment