Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression

The ch1 slot of OP_VALUEs contains an invalid value. Ignore it.

Fixes bug #760325:

https://bugzilla.gnome.org/show_bug.cgi?id=760325

3 files changed, 9 insertions, 0 deletions

diff --git a/result/XPath/expr/base b/result/XPath/expr/base
index d308a920..e04346fa 100644
--- a/result/XPath/expr/base
+++ b/result/XPath/expr/base
@@ -20,5 +20,9 @@ Expression: (1+2)*(3+4)
 Object is a number : 21
 
 ========================
+Expression: 1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
+Object is a number : 21
+
+========================
 Expression: self::-name
 Object is empty (NULL)
diff --git a/test/XPath/expr/base b/test/XPath/expr/base
index 0be4871e..f57e4d0c 100644
--- a/test/XPath/expr/base
+++ b/test/XPath/expr/base
@@ -3,4 +3,5 @@
 2*3
 1+2*3+4
 (1+2)*(3+4)
+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
 self::-name
diff --git a/xpath.c b/xpath.c
index 6b92e7de..39240509 100644
--- a/xpath.c
+++ b/xpath.c
@@ -14786,6 +14786,10 @@ xmlXPathOptimizeExpression(xmlXPathCompExprPtr comp, xmlXPathStepOpPtr op)
 	}
     }
 
+    /* OP_VALUE has invalid ch1. */
+    if (op->op == XPATH_OP_VALUE)
+        return;
+
     /* Recurse */
     if (op->ch1 != -1)
         xmlXPathOptimizeExpression(comp, &comp->steps[op->ch1]);